CVE-2025-10939: 
Java vulnerability analysis and mitigation

CVE-2025-10939 is a security vulnerability discovered in Keycloak, reported on October 28, 2025. The vulnerability relates to a path traversal issue where the admin console path (/admin) can be accessed even when explicitly configured to be restricted in proxy setups. This vulnerability primarily affects Keycloak installations using proxy configurations, particularly with HAProxy (NVD, Red Hat Bugzilla).

The vulnerability stems from improper handling of relative and non-normalized paths in proxy configurations. Specifically, when using HAProxy, attackers can bypass intended access restrictions by using path traversal sequences (e.g., '../') to access the /admin application path relative to /realms. The vulnerability has been assigned a CVSS v3.1 base score of 3.7 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with high attack complexity (NVD).

The vulnerability allows unauthorized access to the admin console path that was intended to be restricted. While authentication is still required to access the admin console, this bypass exposes an endpoint that administrators specifically configured to be inaccessible, potentially increasing the attack surface of the application (Red Hat Bugzilla).

While this issue is primarily related to HAProxy configuration rather than Keycloak itself, it has been determined that Keycloak should return an error by default for non-normalized URLs. Organizations should ensure proper proxy configuration and consider using alternative proxy solutions like mod-proxy, which correctly manages non-normalized URLs by normalizing the path before ensuring it's within the prefix-path (Red Hat Bugzilla).