Missing Critical Step in Authentication Affecting org.keycloak:keycloak-services package, versions [0,]

Q: How to fix?

There is no fixed version for org.keycloak:keycloak-services .

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JAVA-ORGKEYCLOAK-13746461
published5 Nov 2025
disclosed28 Oct 2025
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 28 Oct 2025

NewCVE-2025-12150 (opens in a new tab) CWE-302 (opens in a new tab) CWE-304 (opens in a new tab)

How to fix?

There is no fixed version for org.keycloak:keycloak-services.

Overview

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the WebAuthn Attestation Statement verification. An attacker can influence policy enforcement by manipulating the registration flow or using a rogue authenticator under user control.

References

Red Hat Bugzilla Bug

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
Passive

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None