An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.
Fixes

Solution

No solution given by the vendor.


Workaround

There are three main options to prevent exploitation: 1) If you are using a reverse proxy, block the consents URL. 2) This option is less effective: remove the consents application tab from the account console theme. 3) This option has a significant negative impact on end users: entirely disable offline user profiles.

History

Wed, 18 Sep 2024 08:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak:22 cpe:/a:redhat:build_keycloak:

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-08-07T11:11:22.165Z

Reserved: 2023-12-06T18:47:35.594Z

Link: CVE-2023-6563

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-12-14T18:15:45.540

Modified: 2024-11-21T08:44:06.483

Link: CVE-2023-6563

cve-icon Redhat

Severity : Important

Publid Date: 2023-12-14T00:00:00Z

Links: CVE-2023-6563 - Bugzilla

cve-icon OpenCVE Enrichment

No data.