Vulnerability Description
A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2025:16399
- https://access.redhat.com/errata/RHSA-2025:16400
- https://access.redhat.com/errata/RHSA-2025:19923
- https://access.redhat.com/errata/RHSA-2025:19925
- https://access.redhat.com/security/cve/CVE-2025-10044
- https://bugzilla.redhat.com/show_bug.cgi?id=2393551
- https://github.com/keycloak/keycloak/pull/42443
FAQ
What is CVE-2025-10044?
CVE-2025-10044 is a vulnerability with a CVSS score of 4.3 (MEDIUM). A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validatio...
How severe is CVE-2025-10044?
CVE-2025-10044 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-10044?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.