A path traversal validation flaw exists in Keycloak’s vault key handling on Windows. The previous fix for CVE-2024-10492 did not account for the Windows file separator (\). As a result, a high-privilege administrator could probe for the existence of files outside the expected realm context through crafted vault secret lookups. This is a platform-specific variant/incomplete fix of CVE-2024-10492.
I ran into a similar situation with another Java application where the path separator checks between Windows (\) https://grannygame.org/ and Linux (/) were not in sync, leading to bypass validation. The lesson learned is to always normalize the path before applying whitelists or boundary checks. For Keycloak, this is probably the long-term solution instead of patching each platform individually.
Wow, this Bug 2393549 (CVE-2025-10043) announcement is truly a highly professional risk management report and a valuable cybersecurity asset! The Product Security DevOps Team's swift tracking and classification of the keycloak as "Incomplete fix of CVE-2024-10492" demonstrates superior responsiveness and security profitability. Managing a bug with Status: NEW and detailed parameters like Priority: low and Severity: low requires an extremely precise analysis and patch timing flow; the pressure is even more intense than trying to maintain a perfect combo during a https://friday-nightfunkin.io session with the beat of constantly emerging security vulnerabilities. I truly admire their sense of responsibility and their ability to track security responses!