5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-0604

GHSA ID

GHSA-2p82-5wwr-43cw

EPSS Score

0.06672%

CWE

CWE-287

Published

3/10/2025

Updated

3/10/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-0604

CVE-2025-0604: Authentication Bypass Due to Missing LDAP Bind After Password Reset in Keycloak

The issue arises because Keycloak does not perform an LDAP bind after a password reset, leading to potential authentication bypass for expired or disabled AD accounts. A fix should enforce LDAP validation after password updates to ensure consistency with AD authentication policies.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-0604

CVE-2025-0604:

5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-0604

GHSA ID

GHSA-2p82-5wwr-43cw

EPSS Score

0.06672%

CWE

CWE-287

Published

3/10/2025

Updated

3/10/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.keycloak:keycloak-ldap-federation	maven	>= 26.1.0, < 26.1.3	26.1.3
org.keycloak:keycloak-ldap-federation	maven	< 26.0.10	26.0.10

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing LDAP bind validation after password resets. Keycloak's LDAP integration uses storage providers (LDAPStorageProvider) and identity stores (LDAPIdentityStore) to manage credentials. The password update workflow likely flows through these components. The absence of an explicit bind operation in these functions after modifying credentials would leave AD policy enforcement gaps. While exact code isn't available, these are core components handling credential updates in LDAP federation, aligning with the described vulnerability mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-0604: Authentication Bypass Due to Missing LDAP Bind After Password Reset in Keycloak

CVE-2025-0604:

5.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.4

5.4

Basic Information

Basic Information

Technical Details

CVE-2025-0604: Authentication Bypass Due to Missing LDAP Bind After Password Reset in Keycloak

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI