CVE-2025-12150 Overview
A flaw was found in Keycloak's WebAuthn registration component that allows attackers to bypass the configured attestation policy and register untrusted or forged authenticators. By submitting an attestation object with fmt: "none", an attacker can circumvent realm configurations that require direct attestation, leading to weakened authentication integrity and unauthorized authenticator registration.
Critical Impact
Attackers can register forged or untrusted WebAuthn authenticators by bypassing attestation verification, undermining the security guarantees of WebAuthn-based multi-factor authentication.
Affected Products
- Red Hat Build of Keycloak
- Red Hat Keycloak
- Keycloak version 24.0.2
Discovery Timeline
- 2026-02-27 - CVE CVE-2025-12150 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2025-12150
Vulnerability Analysis
This vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature), affecting Keycloak's WebAuthn implementation. The flaw exists in how Keycloak processes attestation objects during WebAuthn authenticator registration.
WebAuthn attestation is designed to provide cryptographic proof that an authenticator is genuine and meets certain security requirements. Organizations can configure their Keycloak realms to require "direct" attestation, which mandates that authenticators provide verifiable attestation statements from their manufacturers.
However, the vulnerability allows an attacker to submit an attestation object with the format type set to "none", effectively bypassing the attestation verification process entirely. This occurs because the Keycloak WebAuthn registration flow does not properly enforce the configured attestation policy when processing incoming registration requests.
Root Cause
The root cause lies in insufficient validation of the attestation format field during WebAuthn credential registration. When a user registers a WebAuthn authenticator, the client sends an attestation object containing the attestation statement. Keycloak fails to properly reject attestation objects with fmt: "none" when the realm policy explicitly requires direct attestation verification.
This improper verification of cryptographic signatures (CWE-347) allows the registration process to succeed without validating the authenticator's authenticity, even when stricter attestation policies are configured at the realm level.
Attack Vector
The attack is network-based and requires user interaction, as the attacker must intercept or manipulate the WebAuthn registration flow. An attacker can exploit this vulnerability by:
- Initiating a WebAuthn authenticator registration process
- Intercepting the registration request before it reaches the Keycloak server
- Modifying the attestation object to set fmt: "none", removing any legitimate attestation statement
- Submitting the modified registration request to Keycloak
- Successfully registering an unverified authenticator despite realm-level attestation requirements
The vulnerability enables the registration of software-based or emulated authenticators in environments where only hardware-backed, vendor-verified authenticators should be permitted.
Detection Methods for CVE-2025-12150
Indicators of Compromise
- WebAuthn authenticator registrations with attestation format "none" in environments configured for direct attestation
- Unexpected or unauthorized authenticator registrations in user accounts
- Audit logs showing successful WebAuthn registrations that bypass expected attestation verification
Detection Strategies
- Review Keycloak audit logs for WebAuthn registration events and verify attestation formats match configured policies
- Monitor for anomalous patterns in authenticator registrations, particularly bulk registrations or registrations from unexpected sources
- Implement application-level logging to capture attestation object details during WebAuthn registration flows
Monitoring Recommendations
- Enable detailed audit logging for all WebAuthn registration events in Keycloak
- Alert on WebAuthn registrations where the attestation format does not match the configured realm policy
- Periodically audit registered authenticators to identify any that may have bypassed attestation verification
How to Mitigate CVE-2025-12150
Immediate Actions Required
- Apply the latest security patches from Red Hat for Keycloak and Red Hat Build of Keycloak
- Audit existing WebAuthn authenticator registrations to identify any that may have bypassed attestation verification
- Consider temporarily disabling WebAuthn registration until patches can be applied in high-security environments
Patch Information
Red Hat has released security advisories addressing this vulnerability. Organizations should apply the patches referenced in the following advisories:
- Red Hat Security Advisory RHSA-2025:21370
- Red Hat Security Advisory RHSA-2025:21371
- Red Hat Security Advisory RHSA-2025:22088
- Red Hat Security Advisory RHSA-2025:22089
For additional details, see the Red Hat CVE Report for CVE-2025-12150 and GitHub Keycloak Issue #43723.
Workarounds
- Implement additional server-side validation of attestation objects at the application layer before accepting WebAuthn registrations
- Deploy a reverse proxy or web application firewall (WAF) rule to inspect and reject WebAuthn registration requests containing fmt: "none" when direct attestation is required
- Temporarily restrict WebAuthn registration to trusted network segments or require administrative approval for new authenticator registrations
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
