CVE-2025-3501

Summary

A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.

Affected Software

VendorProductVersion RangeStatus
25.0.0 < 25.*affected
26.0.0 < 26.0.11affected
26.1.0 < 26.1.*unknown
26.2.0 < 26.2.2affected
Red HatRed Hat build of Keycloak 26.026.0.11-2 < *unaffected
Red HatRed Hat build of Keycloak 26.026.0-12 < *unaffected
Red HatRed Hat build of Keycloak 26.026.0-13 < *unaffected
Red HatRed Hat build of Keycloak 26.226.2.5-1 < *unaffected
Red HatRed Hat build of Keycloak 26.226.2-4 < *unaffected
Red HatRed Hat build of Keycloak 26.226.2-4 < *unaffected

Weaknesses

  • CWE-297: Improper Validation of Certificate with Host Mismatch

Workarounds

Use the correct TLS configuration and avoid using "–tls-hostname-verifier=any".

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References