keycloak-connect is vulnerable to Open Redirect. The vulnerability exists in the module.exports
function of the check-sso.js
as it does not properly escape the slashes in the cleanUrl
attribute, allowing an attacker to redirect the user to malicious urls with query param prompt=none
when checking SSO.