CVE-2024-1132 - Keycloak Unsecured Redirect Vulnerability Exposed

---

Overview

A critical flaw, tracked as CVE-2024-1132, was discovered in Keycloak—an open-source identity and access management solution. This vulnerability is related to improper validation of redirect URLs. If improperly configured (most commonly when a wildcard is used in the list of Valid Redirect URIs for a client), attackers can trick users into visiting crafted URLs to steal information or perform malicious actions.

This post breaks down the vulnerability, provides an example exploit scenario, and offers mitigation steps. All content here is original, direct, and easy to follow for developers, system admins, and security professionals.

Reference Links

- NVD - CVE-2024-1132
- Keycloak Issue Tracker *(insert actual ticket if/when available)*
- Official Keycloak Documentation: Redirect URIs

Understanding The Flaw

Normally, OAuth flows (like those Keycloak manages) redirect users to redirect_uri values after login. Keycloak lets administrators set which URIs are safe to redirect to, but it supports wildcards for flexibility.

The problem:
If you use wildcards (for example: https://example.com/*), Keycloak doesn’t always validate the final redirect properly. Attackers can use carefully crafted URLs to trick Keycloak into redirecting users wherever they want—potentially exposing sensitive data, allowing phishing, or letting unauthorized access happen.

Suppose your client’s "Valid Redirect URIs" field is set to

https://yourcorp.com/*

An attacker can send a link to a targeted user like

https://auth.yourcorp.com/auth?client_id=myclient&redirect_uri=https://yourcorp.com/%09.malicious.com/

The “%09” is a URL-encoded tab character. Some browsers (and Keycloak's older checks) may interpret this so that the real redirect goes to malicious.com, not yourcorp.com.

The administrator configures the Keycloak client with a wildcard

Valid Redirect URIs: https://yourcorp.com/*

The attacker crafts a malicious URL that abuses validation

https://auth.yourcorp.com/auth/realms/master/protocol/openid-connect/auth?
  client_id=trustedClient&
  redirect_uri=https://yourcorp.com%09.attacker.com/&;
  response_type=code

3. User Clicks the Link

The victim is tricked (maybe via phishing or social engineering) into clicking the malicious login link.

4. Keycloak Authorizes Redirect

Keycloak sees the URL as matching the allowed pattern, but the browser ends up redirecting to attacker.com, possibly with access codes or tokens in the query string.

5. Attacker Gets Sensitive Data

The attacker can use the code/token data to impersonate the victim, access APIs, or further exploit the application.

Sample Node.js PoC Snippet to Detect Redirects

const http = require('http');
const url = require('url');

http.createServer((req, res) => {
  const q = url.parse(req.url, true);
  const redirectUri = q.query.redirect_uri;

  // Quick check for encoded tab/newline characters
  if (redirectUri && /%09|%a|%d/i.test(redirectUri)) {
    console.log("Potential exploit attempt: " + redirectUri);
    res.writeHead(400);
    res.end("Invalid redirect");
    return;
  }

  // ... Normal redirect logic here

  res.end("OK");
}).listen(300, () => {
  console.log('Server running on port 300');
});

Why Wildcards Are Dangerous

Using a wildcard allows any path under a domain, but doesn’t stop encoded tricks or obscure subdomain combinations. Attackers are experts at finding creative ways to bypass these simple matches.

If your Keycloak setup allows redirects like https://*.yourcorp.com/*, it’s even worse. Nearly any attacker-controlled subdomain might work.

Don’t Use Wildcards

Always use fully specified (exact) redirect URIs. Don’t use * or expressions like https://example.com/*.

Review Existing Clients

Audit all registered clients in your Keycloak. Check if any use wildcards in the "Valid Redirect URIs" field.

Update Keycloak

If a patch or new release is available, upgrade Keycloak immediately. Monitor Keycloak’s Security Advisories.

Responsible Disclosure

This flaw was responsibly reported and tracked as CVE-2024-1132. The Keycloak project is expected to fix and release guidance soon. Implementation of tighter URL validation (disallow encoded tabs, newlines, etc.) is the best long-term fix.

Final Thoughts

Keycloak is popular because it’s flexible and open-source. But powerful configuration options—like wildcards in redirect URIs—can backfire badly if not used carefully.

Takeaway:
Never use wildcards in production OAuth redirect URLs. Always review URI validation logic and upgrade promptly when security updates are released.

For questions or sharing findings:
- Discuss on Keycloak User Mail List
- Open Issue on Keycloak GitHub

Timeline

Published on: 04/17/2024 14:15:07 UTC
Last modified on: 04/17/2024 16:15:07 UTC