7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-11419

GHSA ID

GHSA-q8hq-4h99-fj7x

EPSS Score

CWE

CWE-400

Published

10/27/2025

Updated

10/27/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-11419

CVE-2025-11419: Keycloak TLS Client-Initiated Renegotiation Denial of Service

Keycloak is vulnerable to a Denial of Service (DoS) attack due to the default JDK setting that permits Client-Initiated Renegotiation in TLS 1.2. An unauthenticated remote attacker can repeatedly initiate TLS renegotiation requests to exhaust server CPU resources, making the service unavailable. Immediate mitigation is available by setting the -Djdk.tls.rejectClientInitiatedRenegotiation=true Java system property in the Keycloak startup configuration.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-11419

GHSA ID

GHSA-q8hq-4h99-fj7x

EPSS Score

CWE

CWE-400

Published

10/27/2025

Updated

10/27/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.keycloak:keycloak-quarkus-dist	maven	< 26.0.16	26.0.16
org.keycloak:keycloak-quarkus-dist	maven	>= 26.1.0, < 26.2.10	26.2.10
org.keycloak:keycloak-quarkus-dist	maven	>= 26.3.0, < 26.4.1	26.4.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Denial of Service (DoS) vector in Keycloak's default configuration, stemming from the underlying Java Development Kit (JDK) allowing client-initiated renegotiation in TLS 1.2. An attacker can repeatedly send renegotiation requests, which are computationally expensive, leading to CPU exhaustion and service unavailability. The security patch addresses this by modifying the startup scripts (kc.sh and kc.bat) to include the Java system property -Djdk.tls.rejectClientInitiatedRenegotiation=true. This property instructs the JDK to reject such requests. As the vulnerability lies in the TLS protocol configuration at the JVM level and not within a specific application function, no vulnerable functions within the Keycloak codebase can be identified from the patch. The entire service is susceptible due to the environment's configuration. During an exploit, profiling would show high CPU usage in the JVM's internal TLS/SSL handling threads, not in specific Keycloak application logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

K*y*lo*k is vuln*r**l* to * **ni*l o* S*rvi** (*oS) *tt**k *u* to t** ****ult J*K s*ttin* t**t p*rmits *li*nt-Initi*t** R*n**oti*tion in TLS *.*. *n un*ut**nti**t** r*mot* *tt**k*r **n r*p**t**ly initi*t* TLS r*n**oti*tion r*qu*sts to *x**ust s*rv*r

Reasoning

T** vuln*r**ility is * **ni*l o* S*rvi** (*oS) v**tor in K*y*lo*k's ****ult *on*i*ur*tion, st*mmin* *rom t** un**rlyin* J*v* **v*lopm*nt Kit (J*K) *llowin* *li*nt-initi*t** r*n**oti*tion in TLS *.*. *n *tt**k*r **n r*p**t**ly s*n* r*n**oti*tion r*qu*

7.5

Basic Information

Concerned about an active attack path?

CVE-2025-11419: Keycloak TLS Client-Initiated Renegotiation Denial of Service

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI