keycloak-connect is a Identity and Access Management solution for modern Applications and Services.
Affected versions of this package are vulnerable to Open Redirect.
via the checkSso function. checkSSO function uses the query param 'prompt=none' when forwarding the request to KeyCloak. This may allow authenticating the user without interaction as long as the user is already authenticated with KeyCloak.
Note: This package is deprecated and will be removed in the future.
Remediation
Upgrade keycloak-connect to version 21.0.1 or higher.
elliptic is a fast elliptic-curve cryptography implementation in plain javascript.
Affected versions of this package are vulnerable to Use of a Cryptographic Primitive with a Risky Implementation due to the incorrect computation of the byte-length of k value with leading zeros resulting in its truncation. An attacker can obtain the secret key by analyzing both a faulty signature generated by a vulnerable implementation and a correct signature for the same inputs.