CVE-2025-2559

EPSS 0.03%
Veröffentlicht 25.03.2025 08:20:57
Zuletzt bearbeitet 06.05.2026 17:16:19
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

Org.keycloak/keycloak-services: jwt token cache exhaustion leading to denial of service (dos) in keycloak

A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

CNA 6 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Collection URLhttps://github.com/keycloak/keycloak/

≫

Paket keycloak

Default Statusunaffected

Version 23.0.0

Version < 26.0.11

Status affected

Version 26.1.0

Version < 26.1.5

Status affected

HerstellerRed Hat

≫

Produkt Red Hat Build of Keycloak

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.0

Default Statusaffected

Version 26.0.11-2

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.0

Default Statusaffected

Version 26.0-12

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.0

Default Statusaffected

Version 26.0-13

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Single Sign-On 7

Default Statusaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.071

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert@redhat.com	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://access.redhat.com/security/cve/CVE-2025-2559

https://bugzilla.redhat.com/show_bug.cgi?id=2353868

https://access.redhat.com/errata/RHSA-2025:4335

https://access.redhat.com/errata/RHSA-2025:4336

https://github.com/keycloak/keycloak/commit/a10c8119d4452b866b90a9019b2cc159919276ca

https://github.com/keycloak/keycloak/issues/38576

https://nvd.nist.gov/vuln/detail/CVE-2025-2559

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-2559

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-2559

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-2559