CVE-2025-11419 — Keycloak TLS Client-Initiated Renegotiation Denial of Service

Description

Keycloak is vulnerable to a Denial of Service (DoS) attack due to the default JDK setting that permits Client-Initiated Renegotiation in TLS 1.2. An unauthenticated remote attacker can repeatedly initiate TLS renegotiation requests to exhaust server CPU resources, making the service unavailable. Immediate mitigation is available by setting the `-Djdk.tls.rejectClientInitiatedRenegotiation=true` Java system property in the Keycloak startup configuration.

How to fix CVE-2025-11419

To remediate CVE-2025-11419, upgrade the affected package to a fixed version below.

—upgrade to 26.0.16 or later

Is CVE-2025-11419 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 26.0.16

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-11419
PATCHgithub.com/keycloak/keycloak
WEBaccess.redhat.com/errata/RHSA-2025:18254
WEBaccess.redhat.com/errata/RHSA-2025:18255
WEBaccess.redhat.com