{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2559", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-03-20T12:22:59.504Z", "datePublished": "2025-03-25T08:20:57.666Z", "dateUpdated": "2026-05-06T16:48:50.818Z"}, "containers": {"cna": {"title": "Org.keycloak/keycloak-services: jwt token cache exhaustion leading to denial of service (dos) in keycloak", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system."}], "affected": [{"versions": [{"status": "affected", "version": "23.0.0", "lessThan": "26.0.11", "versionType": "semver"}, {"status": "affected", "version": "26.1.0", "lessThan": "26.1.5", "versionType": "semver"}], "packageName": "keycloak", "collectionURL": "https://github.com/keycloak/keycloak/", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "keycloak-services", "cpes": ["cpe:/a:redhat:build_keycloak:26"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.0", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "26.0.11-2", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.0", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "versions": [{"version": "26.0-12", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.0", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "versions": [{"version": "26.0-13", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak-services", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:4335", "name": "RHSA-2025:4335", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:4336", "name": "RHSA-2025:4336", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2025-2559", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353868", "name": "RHBZ#2353868", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/keycloak/keycloak/commit/a10c8119d4452b866b90a9019b2cc159919276ca"}, {"url": "https://github.com/keycloak/keycloak/issues/38576"}], "datePublic": "2025-03-20T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-770: Allocation of Resources Without Limits or Throttling", "timeline": [{"lang": "en", "time": "2025-03-20T11:46:08.046Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-03-20T00:00:00.000Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-05-06T16:48:50.818Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-31T16:31:49.361189Z", "id": "CVE-2025-2559", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-31T16:31:59.498Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2559", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-31T16:31:49.361189Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-31T16:31:55.723Z"}}], "cna": {"title": "Org.keycloak/keycloak-services: jwt token cache exhaustion leading to denial of service (dos) in keycloak", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"versions": [{"status": "affected", "version": "23.0.0", "lessThan": "26.0.11", "versionType": "semver"}, {"status": "affected", "version": "26.1.0", "lessThan": "26.1.5", "versionType": "semver"}], "packageName": "keycloak", "collectionURL": "https://github.com/keycloak/keycloak/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26"], "vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "packageName": "keycloak-services", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.0::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.0", "versions": [{"status": "unaffected", "version": "26.0.11-2", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-operator-bundle", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.0::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.0", "versions": [{"status": "unaffected", "version": "26.0-12", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.0::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.0", "versions": [{"status": "unaffected", "version": "26.0-13", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-rhel9-operator", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7"], "vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "packageName": "keycloak-services", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2025-03-20T11:46:08.046Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-03-20T00:00:00.000Z", "value": "Made public."}], "datePublic": "2025-03-20T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:4335", "name": "RHSA-2025:4335", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:4336", "name": "RHSA-2025:4336", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2025-2559", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353868", "name": "RHBZ#2353868", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/keycloak/keycloak/commit/a10c8119d4452b866b90a9019b2cc159919276ca"}, {"url": "https://github.com/keycloak/keycloak/issues/38576"}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-05-06T16:48:50.818Z"}, "x_redhatCweChain": "CWE-770: Allocation of Resources Without Limits or Throttling"}}, "cveMetadata": {"cveId": "CVE-2025-2559", "state": "PUBLISHED", "dateUpdated": "2026-05-06T16:48:50.818Z", "dateReserved": "2025-03-20T12:22:59.504Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2025-03-25T08:20:57.666Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system."}, {"lang": "es", "value": "Se detect\u00f3 una falla en Keycloak. Cuando la configuraci\u00f3n utiliza tokens JWT para la autenticaci\u00f3n, estos se almacenan en cach\u00e9 hasta su vencimiento. Si un cliente utiliza tokens JWT con un tiempo de vencimiento demasiado largo, por ejemplo, 24 o 48 horas, la cach\u00e9 puede crecer indefinidamente, lo que genera un error de memoria (OutOfMemoryError). Este problema podr\u00eda generar una condici\u00f3n de denegaci\u00f3n de servicio, impidiendo que los usuarios leg\u00edtimos accedan al sistema."}], "id": "CVE-2025-2559", "lastModified": "2026-05-06T17:16:19.593", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2025-03-25T09:15:17.047", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:4335"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:4336"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2025-2559"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353868"}, {"source": "secalert@redhat.com", "url": "https://github.com/keycloak/keycloak/commit/a10c8119d4452b866b90a9019b2cc159919276ca"}, {"source": "secalert@redhat.com", "url": "https://github.com/keycloak/keycloak/issues/38576"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:4336", "cpe": "cpe:/a:redhat:build_keycloak:26", "package": "keycloak-services", "product_name": "Red Hat Build of Keycloak", "release_date": "2025-04-29T00:00:00Z"}, {"advisory": "RHSA-2025:4335", "cpe": "cpe:/a:redhat:build_keycloak:26.0::el9", "package": "rhbk/keycloak-operator-bundle:26.0.11-2", "product_name": "Red Hat build of Keycloak 26.0", "release_date": "2025-04-29T00:00:00Z"}, {"advisory": "RHSA-2025:4335", "cpe": "cpe:/a:redhat:build_keycloak:26.0::el9", "package": "rhbk/keycloak-rhel9:26.0-12", "product_name": "Red Hat build of Keycloak 26.0", "release_date": "2025-04-29T00:00:00Z"}, {"advisory": "RHSA-2025:4335", "cpe": "cpe:/a:redhat:build_keycloak:26.0::el9", "package": "rhbk/keycloak-rhel9-operator:26.0-13", "product_name": "Red Hat build of Keycloak 26.0", "release_date": "2025-04-29T00:00:00Z"}], "bugzilla": {"description": "org.keycloak/keycloak-services: JWT Token Cache Exhaustion Leading to Denial of Service (DoS) in Keycloak", "id": "2353868", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353868"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-770", "details": ["A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system.", "A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system."], "name": "CVE-2025-2559", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Fix deferred", "package_name": "keycloak-services", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2025-03-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-2559\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-2559"], "statement": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-770: Allocation of Resources Without Limits or Throttling vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nThe platform enforces hardening guidelines to apply the most restrictive settings required for operations, while baseline configurations maintain secure system and software states. A defense-in-depth monitoring strategy includes perimeter firewalls and endpoint protection services that detect excessive resource usage caused by malicious activity or system misconfigurations. In the event of exploitation, process isolation ensures workloads operate in separate environments, preventing any single process from overconsuming CPU or memory and degrading system performance.", "threat_severity": "Moderate"}

{}