A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 30 Apr 2025 02:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak:26
References

Tue, 29 Apr 2025 23:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.0::el9
References

Mon, 31 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 26 Mar 2025 02:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 25 Mar 2025 08:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system.
Title Org.keycloak/keycloak-services: jwt token cache exhaustion leading to denial of service (dos) in keycloak
First Time appeared Redhat
Redhat build Keycloak
Redhat red Hat Single Sign On
Weaknesses CWE-770
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat
Redhat build Keycloak
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-08-30T21:58:04.792Z

Reserved: 2025-03-20T12:22:59.504Z

Link: CVE-2025-2559

cve-icon Vulnrichment

Updated: 2025-03-31T16:31:55.723Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-03-25T09:15:17.047

Modified: 2025-04-30T03:15:17.857

Link: CVE-2025-2559

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-03-20T00:00:00Z

Links: CVE-2025-2559 - Bugzilla

cve-icon OpenCVE Enrichment

No data.