VYPR
← All advisories
High severity8.1OSV Advisory· Published Nov 26, 2024· Updated Apr 15, 2026

CVE-2024-53843

CVE-2024-53843

Description

@dapperduckling/keycloak-connector-server is an opinionated series of libraries for Node.js applications and frontend clients to interface with keycloak. A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the authentication flow of the application. This issue arises due to improper sanitization of the URL parameters, allowing the URL bar's contents to be injected and reflected into the HTML page. An attacker could craft a malicious URL to execute arbitrary JavaScript in the browser of a victim who visits the link. Any application utilizing this authentication library is vulnerable. Users of the application are at risk if they can be lured into clicking on a crafted malicious link. The vulnerability has been patched in version 2.5.5 by ensuring proper sanitization and escaping of user input in the affected URL parameters. Users are strongly encouraged to upgrade. If upgrading is not immediately possible, users can implement the following workarounds: 1. Employ a Web Application Firewall (WAF) to block malicious requests containing suspicious URL parameters. or 2. Apply input validation and escaping directly within the application’s middleware or reverse proxy layer, specifically targeting the affected parameters.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A reflected XSS vulnerability in the keycloak-connector-server authentication flow allows attackers to execute arbitrary JavaScript via crafted URLs.

Vulnerability

Overview

CVE-2024-53843 is a reflected Cross-Site Scripting (XSS) vulnerability discovered in the authentication flow of @dapperduckling/keycloak-connector-server, an opinionated series of libraries for Node.js applications to interface with Keycloak. The root cause is improper sanitization of URL parameters, which allows the contents of the URL bar to be injected and reflected directly into the HTML page returned by the application. This means that any user-supplied parameter used during authentication can be echoed back unsanitized, leading to script execution in the victim's browser.[1][2]

Exploitation and

Attack Surface

The vulnerability can be exploited by an attacker crafting a malicious URL containing JavaScript payloads within the affected parameters. When a victim clicks on such a link and navigates to the application's authentication endpoint, the payload is reflected in the response and executed in the context of the victim's browser. No special privileges or prior authentication are required to trigger the vulnerability; any application using the vulnerable library is susceptible. The attack vector relies on social engineering to lure users into clicking the crafted link.[1][2]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, credential theft, defacement, or other malicious actions that the application's security context permits. Because the vulnerability resides in the authentication flow, sensitive tokens and cookies may be exfiltrated, compromising user accounts and the overall integrity of the application.[1][2]

Mitigation

The issue has been patched in version 2.5.5 of @dapperduckling/keycloak-connector-server by properly sanitizing and escaping user input in the affected URL parameters. Users are strongly encouraged to upgrade to this version immediately. If upgrading is not feasible, workarounds include deploying a Web Application Firewall (WAF) to block malicious requests or implementing input validation and escaping at the middleware or reverse proxy layer.[2]

References
  1. NVD - CVE-2024-53843
  2. Reflected XSS Vulnerability in Authentication Flow URL Handling

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@dapperduckling/keycloak-connector-servernpm
< 2.5.52.5.5

Affected products

1
  • Dapperduckling/Keycloak ConnectorOSV
    Range: @dapperduckling/keycloak-connector-client@0.0.10, @dapperduckling/keycloak-connector-client@0.0.11, @dapperduckling/keycloak-connector-client@0.0.12, …

Patches

1
571b8522337f
https://github.com/dapperduckling/keycloak-connectorvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.