4.9

CVE-2025-2559

Org.keycloak/keycloak-services: jwt token cache exhaustion leading to denial of service (dos) in keycloak

A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Collection URLhttps://github.com/keycloak/keycloak/
Paket keycloak
Default Statusunaffected
Version 23.0.0
Version < 26.0.11
Status affected
Version 26.1.0
Version < 26.1.5
Status affected
HerstellerRed Hat
Produkt Red Hat Build of Keycloak
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat build of Keycloak 26.0
Default Statusaffected
Version 26.0.11-2
Version < *
Status unaffected
HerstellerRed Hat
Produkt Red Hat build of Keycloak 26.0
Default Statusaffected
Version 26.0-12
Version < *
Status unaffected
HerstellerRed Hat
Produkt Red Hat build of Keycloak 26.0
Default Statusaffected
Version 26.0-13
Version < *
Status unaffected
HerstellerRed Hat
Produkt Red Hat Single Sign-On 7
Default Statusaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.65% 0.467
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
secalert@redhat.com 4.9 1.2 3.6
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

https://access.redhat.com/security/cve/CVE-2025-2559
https://bugzilla.redhat.com/show_bug.cgi?id=2353868
https://access.redhat.com/errata/RHSA-2025:4335
https://access.redhat.com/errata/RHSA-2025:4336
https://github.com/keycloak/keycloak/commit/a10c8119d4452b866b90a9019b2cc159919276ca
https://github.com/keycloak/keycloak/issues/38576