CVE-2022-2237 – CVE-2022-2237 is an open redirect vulnerability... (How to Fix)

Q: What is the severity of CVE-2022-2237?

CVE-2022-2237 has a CVSS score of 6.1 (MEDIUM). CVE-2022-2237 is an open redirect vulnerability in Keycloak's Node.js adapter checkSso function. This allows attackers to redirect users to malicious websites after authentication. Organizations using Keycloak Node.js adapter for authentication are affected.

📋 TL;DR

CVE-2022-2237 is an open redirect vulnerability in Keycloak's Node.js adapter checkSso function. This allows attackers to redirect users to malicious websites after authentication. Organizations using Keycloak Node.js adapter for authentication are affected.

💻 Affected Systems

Products:

Keycloak Node.js Adapter

Versions: All versions before 18.0.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using the Keycloak Node.js adapter with checkSso functionality enabled.

📦 What is this software?

Keycloak Node.js Adapter by Redhat

View all CVEs affecting Keycloak Node.js Adapter →

Single Sign On by Redhat

View all CVEs affecting Single Sign On →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could redirect authenticated users to phishing sites to steal credentials or session tokens, potentially leading to account compromise.

🟠

Likely Case

Users are redirected to malicious sites that may attempt credential harvesting or malware distribution.

🟢

If Mitigated

With proper input validation and URL filtering, impact is limited to failed redirect attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (clicking a link) and the user must be authenticated via Keycloak.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Keycloak 18.0.0 and later

Vendor Advisory: https://access.redhat.com/security/cve/cve-2022-2237

Restart Required: Yes

Instructions:

1. Update Keycloak Node.js adapter to version 18.0.0 or later. 2. Update package.json dependencies. 3. Restart Node.js application. 4. Test authentication flows.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to reject redirect URLs to external domains

// In your Node.js middleware: if (redirectUrl && !redirectUrl.startsWith('/') && !redirectUrl.startsWith('http://yourdomain.com')) { return res.status(400).send('Invalid redirect'); }

🧯 If You Can't Patch

Implement WAF rules to block redirects to external domains from authentication endpoints
Monitor authentication logs for unusual redirect patterns and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check package.json for keycloak-connect version. If version < 18.0.0, you are vulnerable.

Check Version:

npm list keycloak-connect

Verify Fix Applied:

After updating, test authentication flow with malicious redirect parameter to confirm it's blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual redirect URLs in authentication logs
Failed authentication attempts with external URLs

Network Indicators:

HTTP 302 redirects to external domains after /auth endpoints
Unusual outbound traffic patterns post-authentication

SIEM Query:

source="keycloak.log" AND "redirect" AND NOT (url_domain="yourdomain.com" OR url_domain="localhost")

📊 Metadata

CVE ID: CVE-2022-2237

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-601

Published: March 27, 2023

Last Updated: February 24, 2025

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=2097007 Issue Tracking,Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2097007 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-2237, you might also want to check these: