CVE-2025-2559 MEDIUM

CVE-2025-2559: Org.keycloak/keycloak-services: jwt token cache exhaustion leading to denial of service (dos) in keycloak

Vendor Red Hat
Product Red Hat Build of Keycloak
Weakness CWE-770 · Uncontrolled resource consumption
Published March 25, 2025
Last update May 6, 2026

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system.

Key dates

02Disclosure timeline

March 25, 2025 CVE published
May 6, 2026 Record updated