CVE-2022-4137 - Understanding the Keycloak OAuth 'oob' Endpoint Reflected XSS Vulnerability

---

Introduction

In the world of application security, Cross-Site Scripting (XSS) issues remain a persistent and dangerous problem. One such flaw, tracked as CVE-2022-4137, was discovered in Keycloak, an open-source identity and access management solution from Red Hat. Specifically, the bug was found in Keycloak's OAuth 'oob' endpoint, allowing attackers to craft malicious links that can steal or alter user data.

In this post, we will break down the details of this vulnerability in plain language. We’ll explain the nature of the bug, show some practical attack scenarios with code snippets, and include official resources for further reading.

Affected Software: Keycloak (before versions 18..3, 19..3, and 20..1)

- Problem: Improper null-byte handling in the 'oob' (out-of-band) OAuth endpoint allows attackers to inject arbitrary URIs in error pages.

Official References

- Red Hat Security Advisory: CVE-2022-4137
- Keycloak Security Advisory: KEYCLOAK-21143
- NIST NVD Entry: NVD - CVE-2022-4137

How Does the Vulnerability Work?

Keycloak’s ‘oob’ OAuth endpoint is used during OAuth2 flows to display responses or errors to users. The endpoint failed to properly validate or sanitize user-supplied input, especially when a null-byte was used. This made it possible for attackers to inject script payloads by manipulating requests.

An attacker crafts a URL pointing to the vulnerable Keycloak 'oob' endpoint.

- The URL embeds malicious JavaScript in a parameter (often the redirect_uri or error parameter), possibly encoded or exploiting the improper null-byte handling.
- A user (typically an admin or end user) is tricked into clicking this link (in an email, chat, etc.).

The user is shown a Keycloak error page with attacker-controlled script executed in their browser.

This kind of XSS can expose cookies, tokens, or other confidential information.

Malicious Link

Suppose Keycloak is running at https://id.example.com/auth/.

The attacker creates a link like this

https://id.example.com/auth/realms/master/protocol/openid-connect/auth?client_id=test&redirect_uri=oob%00javascript:alert(document.cookie)&response_type=code

*Note*: The %00 represents a null-byte. In earlier versions of Keycloak, null-bytes were not properly filtered, so the system would try to include the entire rest of the URI — including a JavaScript scheme — in the error display.

This causes Keycloak's error page to display something like

<!-- in the error page html -->
<p>Invalid redirect URI: oobjavascript:alert(document.cookie)</p>

If the HTML is not escaped properly, the browser will treat javascript:alert(document.cookie) as an executable script or a clickable link. When the user interacts, their cookies (possibly including tokens) are disclosed to the attacker.

If you want to see how this works in raw HTTP, here’s a snippet using curl

curl "https://id.example.com/auth/realms/master/protocol/openid-connect/auth?client_id=test&redirect_uri=oob%00javascript:alert(document.cookie)&response_type=code"

Or in JavaScript (to show a sample redirect)

window.location = "https://id.example.com/auth/realms/master/protocol/openid-connect/auth?client_id=test&redirect_uri=oob%00javascript:alert(document.cookie)&response_type=code";

Why is This Dangerous?

- Cookie/Token Theft: If a valid session or token cookie exists in the browser, injected JavaScript can read and send it to an attacker’s server.
- Impersonation & Data Modification: With stolen session tokens, an attacker might impersonate the user or change security settings.
- Credential Phishing: Custom scripts delivered in a trusted error page can trick users into revealing credentials.

Check Logs: Scan for suspicious attempts on the ‘oob’ endpoint.

3. Disable/Restrict oob Endpoint: If you don’t need it, disable or restrict access.

More Reading

- Red Hat CVE-2022-4137 Advisory
- Keycloak Release Notes
- OWASP: XSS (Cross Site Scripting)

Conclusion

CVE-2022-4137 is a textbook example of how a small oversight — like improper null-byte handling — can lead to powerful XSS bugs in identity management systems. As always, keep your systems updated, watch for suspicious activity, and remember: never trust user input.

If you run Keycloak, update now — and stay safe!

Timeline

Published on: 09/25/2023 20:15:00 UTC
Last modified on: 09/29/2023 04:26:00 UTC