Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN622
_____________________________________________________________________

DATE                : 18/09/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running org.keycloak:keycloak-services 
                            versions prior to 26.2.8, 26.3.3.

=====================================================================
https://github.com/keycloak/keycloak/security/advisories/GHSA-m4j5-5x4r-2xp9
_____________________________________________________________________


Keycloak SMTP Inject Vulnerability
Moderate
rmartinc published GHSA-m4j5-5x4r-2xp9 Sep 17, 2025

Package
org.keycloak:keycloak-services (Maven)

Affected versions
<26.2.8, <26.3.3

Patched versions
26.2.8, 26.3.3


Description

Special characters used during e-mail registration may perform SMTP
Injection and unexpectedly send short unwanted e-mails. The email is
limited to 64 characters (limited local part of the email), so the
attack is limited to very shorts emails (subject and little data, the
example is 60 chars). This flaw's only direct consequence is an
unsolicited email being sent from the Keycloak server. However, this
action could be a precursor for more sophisticated attacks.

Severity
Moderate
5.3/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVE ID
CVE-2025-8419

Weaknesses
Weakness CWE-20
Weakness CWE-93



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================