SB2025111839 - Multiple vulnerabilities in Keycloak
Published: November 18, 2025 Updated: December 1, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Configuration (CVE-ID: CVE-2025-11538)
The issue may allow a remote attacker to gain unauthorized access to the application.
The issue exists due to insecure default configuration of the server with enabled debug mode. The server binds by default the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0), exposing the interface to remote attackers.
2) Improper authentication (CVE-ID: CVE-2025-12150)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in WebAuthn Attestation Statement verification. The application allows registration of arbitrary authenticators even when direct attestation and AAGUID restrictions should be enforced. A remote attacker can bypass 2FA authentication process and gain unauthorized access to the application.
3) Protection mechanism failure (CVE-ID: CVE-2025-10939)
The vulnerability allows a remote attacker to gain access to the administrative interface.
The vulnerability exists due to incorrect processing of URL paths with certain proxy servers, such as ha-proxy. A remote attacker can force the application into using relative/non-normalized paths to access the /admin application path relative to /realms.
4) Session fixation (CVE-ID: CVE-2025-12390)
The vulnerability allows a local user to gain access to another session.
The vulnerability exists due to accidental session identifier reuse when logging in on the same device. A local user can get access to another user's session if both use the same device and browser.
Remediation
Install update from vendor's website.
References
- https://github.com/advisories/GHSA-7m9g-pmxf-m9m8
- https://bugzilla.redhat.com/show_bug.cgi?id=2402622
- https://github.com/keycloak/keycloak/security/advisories/GHSA-j4vq-q93m-4683
- https://bugzilla.redhat.com/show_bug.cgi?id=2406192
- https://github.com/advisories/GHSA-c6cm-5gc7-c3f4
- https://bugzilla.redhat.com/show_bug.cgi?id=2398025
- https://github.com/keycloak/keycloak/security/advisories/GHSA-vjr8-56p3-fmqq
- https://github.com/advisories/GHSA-rg35-5v25-mqvp
- https://bugzilla.redhat.com/show_bug.cgi?id=2406793