2385776 – (CVE-2025-8419) CVE-2025-8419 org.keycloak/keycloak-services: Keycloak SMTP Inject Vulnerability

Bug 2385776 (CVE-2025-8419) - CVE-2025-8419 org.keycloak/keycloak-services: Keycloak SMTP Inject Vulnerability

Summary: CVE-2025-8419 org.keycloak/keycloak-services: Keycloak SMTP Inject Vulnerability

Keywords:
Status:	NEW
Alias:	CVE-2025-8419
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-07-31 14:29 UTC by OSIDB Bzimport
Modified:	2025-08-06 17:08 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-07-31 14:29:10 UTC

Email injection that can send a spam message (very short) to an email 
eddress.

 1. Using for example the email registration the attacker uses a crafted
    email address with UTF-8 characters like:
    甲申申甶甴甸电甹甸甸畀畱畱瘮畣畯畭甾瘍瘊畄畁畔畁瘍瘊畓畵畢番略畣畴町畐畗畎畅畄瘍瘊瘍瘊畈畡畣畫瘡瘍瘊瘮瘍瘊畑畕畉畔瘍瘊
 2. The special chars in UTF-8 have in lower byte the value:
    2336485988>\r\nDATA\r\nSubject:PWNED\r\n\r\nHack!\r\n.\r\nQUIT\r\n
 3. This creates the email injection that sends the email to the address
    2336485988

Note You need to log in before you can comment on or make changes to this bug.