Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Dismissed

Permalink CVE-2025-12150

3.1 LOW

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): LOW
Availability impact (A): NONE

updated 3 weeks ago by @LeSuisse Activity log

Created automatic suggestion 3 weeks, 2 days ago
@LeSuisse removed
5 packages
- terraform-providers.keycloak
- python312Packages.python-keycloak
- python313Packages.python-keycloak
- terraform-providers.keycloak_keycloak
- python314Packages.python-keycloak
3 weeks ago
@LeSuisse dismissed 3 weeks ago

Org.keycloak/keycloak-services: webauthn attestation statement verification bypass

A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration.

References

RHSA-2025:21370 x_refsource_REDHAT vendor-advisory
RHSA-2025:21371 x_refsource_REDHAT vendor-advisory
RHSA-2025:22088 x_refsource_REDHAT vendor-advisory
RHSA-2025:22089 x_refsource_REDHAT vendor-advisory
https://access.redhat.com/security/cve/CVE-2025-12150 x_refsource_REDHAT vdb-entry
RHBZ#2406192 issue-tracking x_refsource_REDHAT
https://github.com/keycloak/keycloak/issues/43723

Affected products

keycloak

<26.4.4

rhbk/keycloak-rhel9

*

rhbk/keycloak-rhel9-operator

*

rhbk/keycloak-operator-bundle

*

org.keycloak/keycloak-services

Red Hat build of Keycloak 26.2.11

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

nixos-unstable 26.5.4
- nixpkgs-unstable 26.5.4
- nixos-unstable-small 26.5.4
nixos-25.11 26.5.4
- nixos-25.11-small 26.5.4
- nixpkgs-25.11-darwin 26.5.4

Ignored packages (5)

pkgs.terraform-providers.keycloak

None

nixos-unstable 5.6.0
- nixpkgs-unstable 5.6.0
- nixos-unstable-small 5.7.0
nixos-25.11 5.5.0
- nixos-25.11-small 5.5.0
- nixpkgs-25.11-darwin 5.5.0

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

nixos-25.11 4.0.0
- nixos-25.11-small 4.0.0
- nixpkgs-25.11-darwin 4.0.0

pkgs.python313Packages.python-keycloak

Provides access to the Keycloak API

nixos-unstable 7.0.2
- nixpkgs-unstable 7.0.2
- nixos-unstable-small 7.0.2
nixos-25.11 4.0.0
- nixos-25.11-small 4.0.0
- nixpkgs-25.11-darwin 4.0.0

pkgs.python314Packages.python-keycloak

Provides access to the Keycloak API

nixos-unstable 7.0.2
- nixpkgs-unstable 7.0.2
- nixos-unstable-small 7.0.2

pkgs.terraform-providers.keycloak_keycloak

None

nixos-unstable 5.6.0
- nixpkgs-unstable 5.6.0
- nixos-unstable-small 5.7.0
nixos-25.11 5.5.0
- nixos-25.11-small 5.5.0
- nixpkgs-25.11-darwin 5.5.0

Package maintainers

@leona-ya Leona Maroni <nix@leona.is>
@NickCao Nick Cao <nickcao@nichi.co>
@ngerstle Nicholas Gerstle <ngerstle@gmail.com>
@talyz Kim Lindberger <kim.lindberger@gmail.com>

Not impacted