3.1

CVE-2025-12150

Org.keycloak/keycloak-services: webauthn attestation statement verification bypass

A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RedhatBuild Of Keycloak Version < 26.4.4
RedhatBuild Of Keycloak Version- SwEditiontext-only
RedhatKeycloak Version24.0.2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.2% 0.1
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 3.1 1.6 1.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
secalert@redhat.com 3.1 1.6 1.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://access.redhat.com/errata/RHSA-2025:21370
Vendor Advisory
https://access.redhat.com/errata/RHSA-2025:21371
Vendor Advisory
https://access.redhat.com/errata/RHSA-2025:22089
Vendor Advisory
https://access.redhat.com/errata/RHSA-2025:22088
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2025-12150
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2406192
Issue Tracking
https://github.com/keycloak/keycloak/issues/43723
Issue Tracking