CVE-2025-12110
📋 TL;DR
This Keycloak vulnerability allows offline sessions to remain valid even after administrators remove the offline_access scope from clients. Attackers can continue using refresh tokens to obtain new access tokens for supposedly revoked sessions. This affects Keycloak deployments where administrators manage client scopes and expect immediate revocation of offline sessions.
💻 Affected Systems
- Keycloak
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers maintain persistent unauthorized access to protected resources through offline sessions that should have been terminated, potentially leading to data breaches or privilege escalation.
Likely Case
Users retain access to applications after their offline session permissions should have been revoked, violating security policies and access controls.
If Mitigated
With proper monitoring and session management controls, impact is limited to temporary access until sessions naturally expire or are manually terminated.
🎯 Exploit Status
Requires existing offline session tokens and knowledge that offline_access scope was removed
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat advisories for specific patched versions
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-12110
Restart Required: No
Instructions:
1. Review Red Hat advisories RHSA-2025:21370, RHSA-2025:21371, RHSA-2025:22088, RHSA-2025:22089
2. Apply the appropriate patch for your Keycloak version
3. Verify the patch is applied correctly
🔧 Temporary Workarounds
Manual Session Revocation
allManually revoke all existing offline sessions after removing offline_access scope from clients
Use Keycloak Admin Console or REST API to revoke sessions for affected clients
🧯 If You Can't Patch
- Monitor for unusual session activity and manually revoke suspicious offline sessions
- Implement additional authentication layers or session timeouts to limit potential impact
🔍 How to Verify
Check if Vulnerable:
Test if offline sessions remain valid after removing offline_access scope from a clientCheck Version:
Check Keycloak server version via admin console or server logsVerify Fix Applied:
After patching, verify that removing offline_access scope immediately invalidates existing offline sessions📡 Detection & Monitoring
Log Indicators:
- Unexpected token refresh requests for clients with removed offline_access scope
- Session persistence after scope revocation
Network Indicators:
- Continued API calls using tokens from supposedly revoked sessions
SIEM Query:
Search for token refresh events where client configuration changed (offline_access scope removed)🔗 References
- https://access.redhat.com/errata/RHSA-2025:21370
- https://access.redhat.com/errata/RHSA-2025:21371
- https://access.redhat.com/errata/RHSA-2025:22088
- https://access.redhat.com/errata/RHSA-2025:22089
- https://access.redhat.com/security/cve/CVE-2025-12110
- https://bugzilla.redhat.com/show_bug.cgi?id=2406033
- https://github.com/keycloak/keycloak/pull/43790
