SMTP Injection Vulnerability in Keycloak Services
CVE-2025-8419

6.5MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak
Vendor: CVE Published:; 6 August 2025

What is CVE-2025-8419?

A vulnerability in Keycloak Services allows for SMTP injection during email registration. This issue arises from the handling of special characters, permitting an attacker to send unsolicited short emails from the Keycloak server. The attack is limited to emails with 64 characters or fewer, restricting the potential damage to brief messages containing minimal information. While the immediate consequence is the unintended dispatch of emails, this vulnerability could serve as a foothold for more advanced attacks in the future.

References

https://access.redhat.com/security/cve/CVE-2025-8419

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2385776

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 6, 2025
Vulnerability Reserved
Jul 31, 2025

Red Hat

What is CVE-2025-8419?

References

CVSS V3.1

Timeline