CVE-2025-9162

Org.keycloak/keycloak-model-storage-service: variable injection into environment variables

Description

A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment.

INFO

Published Date :

2025-08-21T15:40:25.136Z

Last Modified :

2025-12-19T21:46:23.680Z

Source :

redhat

AFFECTED PRODUCTS

The following products are affected by CVE-2025-9162 vulnerability.

Vendors	Products
Redhat	Build Keycloak

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-9162.

URL	Resource
https://access.redhat.com/errata/RHSA-2025:15336
https://access.redhat.com/errata/RHSA-2025:15337
https://access.redhat.com/errata/RHSA-2025:15338
https://access.redhat.com/errata/RHSA-2025:15339
https://access.redhat.com/errata/RHSA-2025:16399
https://access.redhat.com/errata/RHSA-2025:16400
https://access.redhat.com/security/cve/CVE-2025-9162
https://bugzilla.redhat.com/show_bug.cgi?id=2389396
https://nvd.nist.gov/vuln/detail/CVE-2025-9162
https://www.cve.org/CVERecord?id=CVE-2025-9162

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact