Is the JWT 'kid' Path Traversal Vulnerability Mitigated in Keycloak 25.0?

Hello Keycloak Community,

I am currently using Keycloak and have concerns about the JWT ‘kid’ (Key ID) path traversal vulnerability. I would like to know if this specific issue has been mitigated in the latest Keycloak version 25.0.

Could anyone provide information or point me to the relevant documentation or release notes that confirm this?

Thank you for your assistance!

Best regards,
Vikas.

I’m assuming you’re referring to this Lab: JWT authentication bypass via kid header path traversal

I’m not aware of any vulnerability hanging out, at least none in the github project page.

The relevant code is for KID lookup is here

    private JSONWebKeySet getRealmKeys(String realm) {
        String certUrl = baseUrl + "/realms/" + realm + "/protocol/openid-connect/certs";
        try (CloseableHttpClient client = httpClient.get()){
            return SimpleHttpDefault.doGet(certUrl, client).asJson(JSONWebKeySet.class);
        } catch (IOException e) {
            throw new RuntimeException("Failed to retrieve keys", e);
        }
    }

    private KeyWrapper findKey(JSONWebKeySet jsonWebKeySet, String algorithm, String kid) {
        for (JWK k : jsonWebKeySet.getKeys()) {
            if (k.getKeyId().equals(kid) && k.getAlgorithm().equals(algorithm)) {
                PublicKey publicKey = JWKParser.create(k).toPublicKey();

                KeyWrapper key = new KeyWrapper();
                key.setKid(k.getKeyId());
                key.setAlgorithm(k.getAlgorithm());
                if (k.getOtherClaims().get(OKPPublicJWK.CRV) != null) {
                    key.setCurve((String) k.getOtherClaims().get(OKPPublicJWK.CRV));
                }
                key.setPublicKey(publicKey);
                key.setUse(KeyUse.SIG);

                return key;
            }
        }
        return null;
    }

The use of an iterate-and-match lookup on the kid avoids injection attacks so I think this particular vulnerability is not an issue.

Have you attempted this exploit?

This was an issue in Keycloak 16, So looking up the code feels like kid avoids injection is not an issue in Keycloak Latest.