keycloak-connect@4.6.0 vulnerabilities

Keycloak Connect Middleware

Direct Vulnerabilities

Known vulnerabilities in the keycloak-connect package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Open Redirect

keycloak-connect is a Identity and Access Management solution for modern Applications and Services.

Affected versions of this package are vulnerable to Open Redirect. via the checkSso function. checkSSO function uses the query param 'prompt=none' when forwarding the request to KeyCloak. This may allow authenticating the user without interaction as long as the user is already authenticated with KeyCloak.

Note: This package is deprecated and will be removed in the future.

How to fix Open Redirect?

Upgrade keycloak-connect to version 21.0.1 or higher.

<21.0.1
  • L
Cross-site Scripting (XSS)

keycloak-connect is an Identity and Access Management solution for modern Applications and Services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The Keycloak NodeJS adapter did not support verify-token-audience. This could result in some users having access to sensitive information outside of their permissions.

How to fix Cross-site Scripting (XSS)?

Upgrade keycloak-connect to version 10.0.0 or higher.

<10.0.0