CVE-2025-7365: Keycloak vulnerable to phishing attacks through its Review Profile section

The vulnerability is a logic flaw in the 'First Broker Login' authentication flow in Keycloak, which occurs when a user logs in via an external Identity Provider (IdP) for the first time. The root cause is a lack of communication between two authenticators in the flow, creating a Time-of-check to Time-of-use (TOCTOU) vulnerability.

1. Profile Review (IdpReviewProfileAuthenticator.action): During the login flow, the attacker is presented with a 'Review Profile' screen. Here, they can modify their profile information, including their email address. The attacker changes the email to that of a victim. In the vulnerable version, this change was not flagged or recorded as a manual user modification.

2. Email Verification (IdpEmailVerificationAuthenticator.authenticateImpl): This authenticator executes after the profile review. It is designed to verify the user's email by sending a confirmation link. The flaw was that this function would trust the email address it found in the authentication session, unaware that it had been manually altered by the attacker in the previous step. Consequently, it would send a verification email to the victim's address.

The patch addresses this by introducing a signaling mechanism. The IdpReviewProfileAuthenticator now sets a flag (UPDATE_PROFILE_EMAIL_CHANGED) in the authentication session when the email is changed. The IdpEmailVerificationAuthenticator was modified to check for this flag. If the flag is present, it aborts the email verification process, thereby neutralizing the phishing threat. The exploitation of this vulnerability would involve these two functions executing in sequence.