CVE-2017-7474
CVE-2017-7474 is a critical-severity vulnerability in Keycloak Keycloak-nodejs-auth-utils with a CVSS 3.x base score of 9.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-253.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 3% (83rd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-253
- Affected product: Keycloak Keycloak-nodejs-auth-utils
- Published:
- Last modified:
Description
It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.
Frequently asked questions
- What is CVE-2017-7474?
- It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.
- How severe is CVE-2017-7474?
- CVE-2017-7474 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2017-7474 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 3% (83rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2017-7474?
- CVE-2017-7474 primarily affects Keycloak Keycloak-nodejs-auth-utils. In total, 11 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2017-7474?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2017-7474 published?
- CVE-2017-7474 was published on 2017-05-12 and last updated on 2026-06-17.
References
Affected products (11)
- cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.0:cr1:*:*:*:*:*:*
- cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:3.0.0:cr1:*:*:*:*:*:*
Other CWE-253 vulnerabilities
- CVE-2026-35091 — High (CVSS 8.2): A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the…
- CVE-2026-53090 — High (CVSS 7.8): In the Linux kernel, the following vulnerability has been resolved: bpf: Fix ld_{abs,ind} failure path analysis in…
- CVE-2026-46419 — High (CVSS 7.5): Yubico webauthn-server-core (aka java-webauthn-server) 2.8.0 before 2.8.2 incorrectly checks a function's return value…
- CVE-2025-57767 — High (CVSS 7.5): Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.15.2, 21.10.2, and…
- CVE-2024-43521 — High (CVSS 7.5): Windows Hyper-V Denial of Service Vulnerability
- CVE-2024-32475 — High (CVSS 7.5): Envoy is a cloud-native, open source edge and service proxy. When an upstream TLS cluster is used with `auto_sni`…