CVE-2025-11537
📋 TL;DR
Keycloak versions with verbose logging patterns (like 'long') expose sensitive headers including Authorization and Cookie in cleartext logs. Attackers with log file read access can steal credentials to impersonate users. This affects Keycloak deployments using vulnerable logging configurations.
💻 Affected Systems
- Keycloak
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full account compromise of all users whose credentials appear in logs, leading to data breaches, privilege escalation, and complete system takeover.
Likely Case
Targeted credential theft from logs by attackers with log access, resulting in unauthorized access to user accounts and potential lateral movement.
If Mitigated
Limited impact with proper log access controls and monitoring, though credentials remain exposed in logs until rotation.
🎯 Exploit Status
Exploitation requires read access to log files. No authentication bypass needed if logs are accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat advisory for specific fixed versions
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-11537
Restart Required: Yes
Instructions:
1. Check Red Hat advisory for fixed Keycloak version. 2. Update Keycloak to patched version. 3. Restart Keycloak service. 4. Verify logging configuration no longer exposes sensitive headers.
🔧 Temporary Workarounds
Change logging pattern
allModify logging configuration to use patterns that exclude sensitive headers
Edit Keycloak logging configuration to remove or modify patterns that include headers like %i, %{i,Authorization}, %{i,Cookie}
Restrict log file access
linuxApply strict file permissions to Keycloak log files
chmod 640 /path/to/keycloak/logs/*
chown keycloak:keycloak /path/to/keycloak/logs/*
🧯 If You Can't Patch
- Immediately change logging configuration to exclude sensitive headers from all patterns
- Implement strict access controls on log files and directories, monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check Keycloak logging configuration for patterns containing %i or specific header references like Authorization, Cookie. Review log files for cleartext credential exposure.Check Version:
keycloak/bin/kc.sh --version or check Keycloak admin console version infoVerify Fix Applied:
After patching, verify logs no longer contain Authorization or Cookie headers in cleartext. Test with sample authentication requests.📡 Detection & Monitoring
Log Indicators:
- Cleartext Authorization: Bearer tokens in logs
- Cookie: session identifiers in logs
- Patterns containing sensitive headers in configuration
Network Indicators:
- Unauthorized access attempts using credentials found in logs
SIEM Query:
source="keycloak.logs" AND ("Authorization:" OR "Cookie:") AND NOT "[REDACTED]"