4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-10044

GHSA ID

GHSA-27gc-wj6x-9w55

EPSS Score

0.09846%

CWE

CWE-79

Published

10/17/2025

Updated

10/17/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-10044

CVE-2025-10044: Keycloak error_description injection on error pages that can trigger phishing attacks

Keycloak’s account console accepts arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-10044

GHSA ID

GHSA-27gc-wj6x-9w55

EPSS Score

0.09846%

CWE

CWE-79

Published

10/17/2025

Updated

10/17/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.keycloak:keycloak-account-ui	maven	< 26.2.9	26.2.9
org.keycloak:keycloak-account-ui	maven	>= 26.3.0, < 26.3.4	26.3.4
org.keycloak:keycloak-admin-ui	maven	< 26.2.9	26.2.9
org.keycloak:keycloak-admin-ui	maven	>= 26.3.0, < 26.3.4	26.3.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a phishing vector caused by the injection of arbitrary text into the error_description query parameter, which is then rendered on Keycloak's error pages. The analysis of the provided patch identified the complete flow of this vulnerability, from the backend processing to the frontend rendering.

The root cause lies in the frontend KeycloakProvider component, which reads the error_description parameter directly from the URL. This untrusted input is then passed to the ErrorPage component. The ErrorPage component, in its vulnerable state, would render any string passed to it, facilitated by the getErrorMessage helper function that processed raw strings.

On the backend, the org.keycloak.services.resources.account.AccountConsole.redirectToLogin method contributed to the issue. During the login and error handling process, this method would construct redirect URLs that preserved the error_description parameter, effectively passing the attacker-controlled input back to the frontend.

The patch addresses this vulnerability at multiple levels. It removes the backend logic for initiating the login from AccountConsole.java, including the redirectToLogin method. On the frontend, it removes the code that reads the error_description from the URL in KeycloakProvider. Furthermore, it hardens the ErrorPage and getErrorMessage functions to no longer display arbitrary strings, instead relying on a predefined set of translatable error keys. This ensures that only legitimate, translated error messages can be displayed, completely mitigating the phishing vector.

Vulnerable functions

KeycloakProvider

js/libs/ui-shared/src/context/KeycloakContext.tsx

The `KeycloakProvider` component directly reads the `error_description` query parameter from the URL. It then passes this value as a prop to the `ErrorPage` component. This is the entry point for the malicious input, as an attacker can craft a URL with a deceptive message in this parameter.

ErrorPage

js/libs/ui-shared/src/context/ErrorPage.tsx

The `ErrorPage` component receives the arbitrary string from the `error_description` parameter via its props and renders it on the page. The vulnerability lies in the fact that this component trusts and displays the input without proper validation or sanitization, allowing the phishing message to be displayed within the trusted UI of Keycloak.

getErrorMessage

js/libs/ui-shared/src/context/ErrorPage.tsx

This helper function, used by `ErrorPage`, was designed to process the error information. The vulnerable version of this function accepted a raw string and returned it, which would then be rendered. The patch removes this capability, restricting the function to only handle `Error` objects, thus preventing the direct rendering of the arbitrary string from the URL parameter.

org.keycloak.services.resources.account.AccountConsole.redirectToLogin

services/src/main/java/org/keycloak/services/resources/account/AccountConsole.java

This backend method was part of the authentication flow and was responsible for constructing redirect URLs. In error scenarios, it would build a redirect that included the `error_description` parameter from the original request. This propagated the malicious input from the backend to the frontend, where it was ultimately rendered. The entire method was removed in the patch to change the authentication flow, which also served to mitigate this vulnerability.

WAF Protection Rules

WAF Rule

K*y*lo*k’s ***ount *onsol* ****pts *r*itr*ry t*xt in t** `*rror_**s*ription` qu*ry p*r*m*t*r. T*is t*xt is *ir**tly r*n**r** in *rror p***s wit*out v*li**tion or s*nitiz*tion. W*il* *TML *n*o*in* pr*v*nts XSS, *n *tt**k*r **n *r**t URLs wit* misl***i

Reasoning

T** vuln*r**ility is * p*is*in* v**tor **us** *y t** inj**tion o* *r*itr*ry t*xt into t** `*rror_**s*ription` qu*ry p*r*m*t*r, w*i** is t**n r*n**r** on K*y*lo*k's *rror p***s. T** *n*lysis o* t** provi*** p*t** i**nti*i** t** *ompl*t* *low o* t*is v

4.3

Basic Information

Concerned about an active attack path?

CVE-2025-10044: Keycloak error_description injection on error pages that can trigger phishing attacks

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI