CVE-2025-2559

Summary

A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system.

Affected Software

VendorProductVersion RangeStatus
23.0.0 < 26.0.11affected
26.1.0 < 26.1.5affected
Red HatRed Hat build of Keycloak 26.026.0.11-2 < *unaffected
Red HatRed Hat build of Keycloak 26.026.0-12 < *unaffected
Red HatRed Hat build of Keycloak 26.026.0-13 < *unaffected

Weaknesses

  • CWE-770: Allocation of Resources Without Limits or Throttling

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References