CVE-2025-2559
📋 TL;DR
This vulnerability in Keycloak allows denial of service through memory exhaustion when JWT tokens with excessively long expiration times are cached indefinitely. Systems using Keycloak with JWT token authentication are affected. The issue can prevent legitimate users from accessing the system.
💻 Affected Systems
- Keycloak
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system outage due to OutOfMemoryError, rendering Keycloak unavailable and blocking all authentication requests.
Likely Case
Gradual performance degradation leading to intermittent authentication failures and increased response times.
If Mitigated
Minimal impact with proper token expiration limits and monitoring in place.
🎯 Exploit Status
Exploitation requires access to create or modify JWT tokens used for authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Red Hat advisories RHSA-2025:4335 and RHSA-2025:4336
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-2559
Restart Required: Yes
Instructions:
1. Check current Keycloak version. 2. Apply patches from Red Hat advisories. 3. Restart Keycloak service. 4. Verify fix by monitoring cache behavior.
🔧 Temporary Workarounds
Limit JWT Token Expiration
allConfigure maximum token expiration time to prevent indefinite caching.
Configure in Keycloak admin console: Realm Settings -> Tokens -> Access Token Lifespan
Implement Cache Eviction Policy
allAdd cache size limits or time-based eviction for JWT token cache.
Configure cache settings in Keycloak standalone.xml or ha.xml
🧯 If You Can't Patch
- Implement strict JWT token expiration policies (max 1-2 hours)
- Monitor memory usage and JWT cache size with alerts for abnormal growth
🔍 How to Verify
Check if Vulnerable:
Check if using JWT tokens with expiration > 24 hours and monitor JWT cache memory usage.Check Version:
keycloak/bin/kc.sh --version or check Keycloak admin consoleVerify Fix Applied:
After patching, test with long-expiration JWT tokens and verify cache doesn't grow indefinitely.📡 Detection & Monitoring
Log Indicators:
- OutOfMemoryError in logs
- Increasing JWT cache size metrics
- High memory usage alerts
Network Indicators:
- Increased authentication latency
- Failed authentication requests
SIEM Query:
source="keycloak.log" AND ("OutOfMemoryError" OR "JWT cache" AND "size")