CVE-2025-11419

Summary

A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable.

Affected Software

VendorProductVersion RangeStatus
0 < 26.0.16affected
26.1.0 < 26.1.*unknown
26.2.0 < 26.2.10affected
26.3.0 < 26.3.*unknown
26.4.0 < 26.4.1affected
Red HatRed Hat build of Keycloak 26.026.0.16-2 < *unaffected
Red HatRed Hat build of Keycloak 26.026.0-20 < *unaffected
Red HatRed Hat build of Keycloak 26.026.0-21 < *unaffected
Red HatRed Hat build of Keycloak 26.226.2.10-2 < *unaffected
Red HatRed Hat build of Keycloak 26.226.2-11 < *unaffected
Red HatRed Hat build of Keycloak 26.226.2-11 < *unaffected

Weaknesses

  • CWE-770: Allocation of Resources Without Limits or Throttling

Workarounds

To mitigate this vulnerability, configure Keycloak to reject client-initiated TLS renegotiation by adding the following Java system property to the Keycloak startup configuration: -Djdk.tls.rejectClientInitiatedRenegotiation=true

This prevents unauthenticated attackers from triggering repeated TLS renegotiations and exhausting server CPU resources. Additionally, ensure that Keycloak is deployed behind proper network access controls and rate-limiting mechanisms to further reduce exposure to DoS attacks.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References