Bug 2385776 (CVE-2025-8419)

Summary: CVE-2025-8419 org.keycloak/keycloak-services: Keycloak SMTP Inject Vulnerability
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aschwart, boliveir, mposolda, pjindal, security-response-team, ssilvert, sthorger, vmuzikar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-07-31 14:29:10 UTC 
Email injection that can send a spam message (very short) to an email 
eddress.

 1. Using for example the email registration the attacker uses a crafted
    email address with UTF-8 characters like:
    甲申申甶甴甸电甹甸甸畀畱畱瘮畣畯畭甾瘍瘊畄畁畔畁瘍瘊畓畵畢番略畣畴町畐畗畎畅畄瘍瘊瘍瘊畈畡畣畫瘡瘍瘊瘮瘍瘊畑畕畉畔瘍瘊
 2. The special chars in UTF-8 have in lower byte the value:
    2336485988>\r\nDATA\r\nSubject:PWNED\r\n\r\nHack!\r\n.\r\nQUIT\r\n
 3. This creates the email injection that sends the email to the address
    2336485988