CVE-2025-9162: 
Java vulnerability analysis and mitigation

CVE-2025-9162 is a security vulnerability discovered in org.keycloak/keycloak-model-storage-service. The vulnerability was disclosed on August 21, 2025, and affects the KeycloakRealmImport custom resource functionality. This vulnerability involves the substitution of placeholders within imported realm documents that can reference environment variables (NVD CVE).

The vulnerability exists in the KeycloakRealmImport custom resource's placeholder substitution mechanism. When processing imported realm documents, the system substitutes placeholders that can reference environment variables, creating a potential vector for injection attacks. The vulnerability has been assigned a CVSS v3.1 base score of 4.9 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The weakness has been categorized as CWE-526 (Exposure of Sensitive Information Through Environmental Variables) (NVD CVE).

The vulnerability allows attackers to inject malicious content during the realm import procedure, which can lead to unintended consequences within the Keycloak environment. The primary impact is related to confidentiality, as indicated by the CVSS metrics showing high confidentiality impact but no impact on integrity or availability (NVD CVE).

The vulnerability is currently under investigation by Red Hat Product Security. At present, no official mitigation strategies or workarounds have been published (Red Hat CVE).