CVE-2025-8419

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A flaw exists in Keycloak-services where special characters used during email registration may allow SMTP Injection, resulting in the sending of unsolicited emails from the Keycloak server. The attack is limited to short emails (approximately 60 characters) due to the 64-character limit on the local part of the email address. While the direct consequence is limited to sending unwanted emails, this action could potentially be a precursor to more sophisticated attacks.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.