CVE-2025-10043 in Keycloak
Summary
by MITRE • 09/05/2025
A path traversal validation flaw exists in Keycloak’s vault key handling on Windows. The previous fix for CVE-2024-10492 did not account for the Windows file separator (\). As a result, a high-privilege administrator could probe for the existence of files outside the expected realm context through crafted vault secret lookups. This is a platform-specific variant/incomplete fix of CVE-2024-10492.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/07/2025
This vulnerability represents a critical path traversal flaw in Keycloak's vault key handling mechanism specifically affecting Windows environments. The issue stems from an incomplete remediation of CVE-2024-10492 where developers failed to consider the distinct file separator convention used by Microsoft Windows systems. While the original vulnerability was addressed, the fix did not properly account for the backslash character \ used as the path separator on Windows platforms, creating a persistent security gap that allows malicious actors to bypass intended access controls.
The technical flaw manifests when Keycloak processes vault secret lookups on Windows systems where administrators can craft specially formatted requests that exploit the incomplete validation logic. This allows high-privilege administrators with appropriate access levels to probe for file existence outside the designated realm context through carefully constructed vault key references. The vulnerability operates by leveraging the difference between Unix-style forward slashes and Windows backslashes in path resolution, enabling attackers to traverse directories beyond the intended boundaries of the vault storage system.
The operational impact of this vulnerability is significant as it provides unauthorized access to sensitive information that should remain isolated within specific realm contexts. High-privilege administrators could potentially discover and access files belonging to other realms or even system-level configurations that should be protected from cross-contamination. This creates a vector for information disclosure attacks where attackers can map out the file structure of the Keycloak installation and identify sensitive data stored in adjacent or related directories.
This vulnerability aligns with CWE-22 Path Traversal and maps to ATT&CK technique T1083 File and Directory Discovery, as it enables adversaries to enumerate system resources beyond their intended access scope. The incomplete fix pattern demonstrates a common security oversight where remediations fail to consider platform-specific behaviors that can create persistent vulnerabilities. Organizations using Keycloak in Windows environments are particularly at risk since the vulnerability specifically targets the Windows file system separator implementation.
The recommended mitigation involves implementing comprehensive path validation that accounts for all operating system conventions including both forward slashes and backslashes on Windows systems. Administrators should ensure that any vault key lookups undergo strict validation regardless of the underlying platform, with explicit checks that prevent traversal beyond designated realm boundaries. Additionally, organizations should implement monitoring solutions that can detect anomalous vault access patterns and consider applying patches or updates that provide complete protection against both Unix and Windows path traversal scenarios. Regular security assessments should verify that all file system operations properly sanitize input parameters and maintain strict boundary controls for vault key operations across all supported platforms.