CVE-2025-11429
📋 TL;DR
Keycloak sessions created while 'Remember Me' was enabled retain extended lifetimes even after administrators disable this setting at the realm level. This logic flaw allows session hijacking or unauthorized persistence beyond intended security boundaries. All Keycloak deployments using the 'Remember Me' feature are affected.
💻 Affected Systems
- Keycloak
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers hijack active user sessions and maintain unauthorized access for extended periods (up to 30 days), potentially accessing sensitive applications and data.
Likely Case
Users with previously established 'Remember Me' sessions continue to have longer session lifetimes than administrators intended, creating inconsistent security enforcement.
If Mitigated
With proper monitoring and session termination procedures, impact is limited to inconvenience and minor policy violation until sessions naturally expire.
🎯 Exploit Status
Requires existing user session hijacking via other means (XSS, credential theft, etc.) to exploit the extended session lifetime.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Keycloak 25.0.10, 24.0.12, and later maintenance releases
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-11429
Restart Required: No
Instructions:
1. Update to Keycloak 25.0.10 or 24.0.12 or later. 2. Apply Red Hat patches via RHSA-2025:22088 or RHSA-2025:22089 if using Red Hat build. 3. No restart required - fix applies to new session validations.
🔧 Temporary Workarounds
Force session termination
allManually terminate all existing user sessions after disabling 'Remember Me' setting
Use Keycloak Admin Console: Realm Settings -> Sessions -> Revoke all active sessions
🧯 If You Can't Patch
- Disable 'Remember Me' feature and force all users to re-authenticate
- Implement shorter global session timeouts at the application level
🔍 How to Verify
Check if Vulnerable:
Check if 'Remember Me' was disabled while sessions created with it enabled are still activeCheck Version:
keycloak.sh --version or check Keycloak server logs for version informationVerify Fix Applied:
After patching, verify that session expiration respects current realm 'Remember Me' setting regardless of session creation time📡 Detection & Monitoring
Log Indicators:
- User sessions persisting beyond expected timeout after 'Remember Me' disabled
- Session validation events showing inconsistent expiration logic
Network Indicators:
- Extended authentication token lifetimes in OIDC/OAuth flows
SIEM Query:
source="keycloak" AND ("session" OR "remember-me") AND ("expiration" OR "timeout")🔗 References
- https://access.redhat.com/errata/RHSA-2025:22088
- https://access.redhat.com/errata/RHSA-2025:22089
- https://access.redhat.com/security/cve/CVE-2025-11429
- https://bugzilla.redhat.com/show_bug.cgi?id=2402148
- https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d
- https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b
- https://github.com/keycloak/keycloak/issues/43328
