OutOfMemoryError Vulnerability in Keycloak Authentication with JWT Tokens
CVE-2025-2559

4.9MEDIUM

Key Information:

Status
Red Hat Build Of Keycloak
Red Hat Build Of Keycloak 26.0
Red Hat Single Sign-on 7
Vendor
CVE Published:
25 March 2025

What is CVE-2025-2559?

A flaw in Keycloak arises when JWT tokens are configured for authentication. The caching mechanism retains these tokens until they expire, potentially leading to situations where excessively long expiration times (e.g., 24 or 48 hours) allow the token cache to grow uncontrollably. This excessive growth can consume available memory resources, resulting in an OutOfMemoryError. As a consequence, legitimate users may experience denial of service, preventing them from accessing the system and disrupting normal operations.

References

https://access.redhat.com/errata/RHSA-2025:4335
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2025:4336
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2025-2559
vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.