Replies: 1 comment
-
|
I suppose you mean the CVE-2025-55182 and the two subsequent CVEs that are commented here. If you see those issues are for 19.x (for example CVE-2025-55182) and not for version 18.3.1 keycloak is using, and besides I think that we are not using the server (react-server-*) packages either. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Dear Keycloak Team,
We are writing to bring a security concern to your attention regarding our Keycloak deployment.
Our security team has identified that CVE-2025-55185 and related React vulnerabilities may affect our system. As users of Keycloak, we have proactively upgraded our environment to version 26.4.7 (from 26.0.7). However, we understand that this version still incorporates a React dependency that is subject to the aforementioned vulnerabilities.
To help ensure the security integrity of our and other users' deployments, we kindly request the following actions from your team:
Upgrade the integrated React dependency to the latest, secure version.
Release an official patched version of Keycloak that includes this update.
Provide any recommended temporary mitigation measures that can be applied while awaiting the official patch.
We appreciate your ongoing work on Keycloak and your attention to this security matter. Please let us know if you require any further information from our side.
Beta Was this translation helpful? Give feedback.
All reactions