It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| keycloak-connect(npm) | 0 | 4.8.3 | N/A |
CVSS Metrics
