Red Hat Rhdh
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Rhdh.
By the Year
In 2026 there have been 0 vulnerabilities in Red Hat Rhdh. Last year, in 2025 Rhdh had 5 security vulnerabilities published. Right now, Rhdh is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 5 | 6.04 |
| 2024 | 3 | 6.37 |
It may take a day or so for new Rhdh vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Rhdh Security Vulnerabilities
Nodemailer DoS via crafted email header triggers infinite recursion
CVE-2025-14874
7.5 - High
- December 18, 2025
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
Improper Check or Handling of Exceptional Conditions
Email Parser Vulnerability: Quoted External Address Escapes Recipient
CVE-2025-13033
7.5 - High
- November 14, 2025
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.
Improper Validation of Syntactic Correctness of Input
Insufficient Access Control in Red Hat Developer Hub Container Image
CVE-2025-5417
6.1 - Medium
- August 19, 2025
An insufficient access control vulnerability was found in the Red Hat Developer Hub rhdh/rhdh-hub-rhel9 container image. The Red Hat Developer Hub cluster admin/user, who has standard user access to the cluster, and the Red Hat Developer Hub namespace, can access the rhdh/rhdh-hub-rhel9 container image and modify the image's content. This issue affects the confidentiality and integrity of the data, and any changes made are not permanent, as they reset after the pod restarts.
Incorrect Privilege Assignment
CIRCL FourQ RCE via Low-Order Point Injection in Diffie-Hellman
CVE-2025-8556
3.7 - Low
- August 06, 2025
A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.
Improper Verification of Cryptographic Signature
serialize-javascript XSS via unsanitized regex input
CVE-2024-11831
5.4 - Medium
- February 10, 2025
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
XSS
Keycloak XSS via Malicious ACS URLs (CVE-2023-6717)
CVE-2023-6717
6 - Medium
- April 25, 2024
A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.
XSS
Keycloak OIDC checkLoginIframe DoS via unvalidated cross-origin messages
CVE-2024-1249
7.4 - High
- April 17, 2024
A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.
Origin Validation Error
Red Hat Developer Hub (RHDH) Access Token Leak via Catalog-Import
CVE-2023-6944
5.7 - Medium
- January 04, 2024
A flaw was found in the Red Hat Developer Hub (RHDH). The catalog-import function leaks GitLab access tokens on the frontend when the base64 encoded GitLab token includes a newline at the end of the string. The sanitized error can display on the frontend, including the raw access token. Upon gaining access to this token and depending on permissions, an attacker could push malicious code to repositories, delete resources in Git, revoke or generate new keys, and sign code illegitimately.
Generation of Error Message Containing Sensitive Information
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Rhdh or by Red Hat? Click the Watch button to subscribe.
