Miggo Logo
Miggo Vulnerability Database
CVE-2025-11429

CVE-2025-11429: Keycloak does not invalidate sessions when "Remember Me" is disabled

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-11429
GHSA ID
GHSA-64w3-5q9m-68xf
EPSS Score
-
CWE
CWE-613
Published
10/23/2025
Updated
10/23/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.keycloak:keycloak-servicesmaven< 26.4.126.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability described is a logic flaw in Keycloak's session management, where disabling the "Remember Me" feature does not invalidate existing sessions that were created with it. This allows those sessions to persist longer than the administrator intended, increasing the risk of session hijacking.

The analysis of the provided patches, specifically commits a34094100716b7c69ae38eaed6678ab4344d0a1d and bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b, points directly to the isSessionValid method in the AuthenticationManager.java file. The patch introduces a new check in this method:

+        if (userSession.isRememberMe() && !realm.isRememberMe()) {
+            logger.debugv("Session {0} invalid: created with remember me but remember me is disabled for the realm.", userSession.getId());
+            return false;
+        }

This code explicitly checks if a user session has the rememberMe flag set while the realm has since disabled the rememberMe feature. If this condition is met, the session is now correctly identified as invalid.

Therefore, any operation that triggers a session validation check, such as a token refresh or accessing a protected resource, would invoke the isSessionValid function. Before the patch, this function would have incorrectly returned true for a "Remember Me" session even after the feature was disabled, thus making it the vulnerable function. The added code constitutes the fix.

Vulnerable functions

org.keycloak.services.managers.AuthenticationManager.isSessionValid
services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
The vulnerability lies in the `isSessionValid` function, which, prior to the patch, did not check if a session created with the "Remember Me" option was still valid after this option was disabled at the realm level. This allowed for an extended session lifetime beyond the intended configuration. The patch adds a condition to invalidate such sessions.

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in K*y*lo*k. K*y*lo*k *o*s not imm**i*t*ly *n*or** t** *is**lin* o* t** "R*m*m**r M*" r**lm s*ttin* on *xistin* us*r s*ssions. S*ssions *r**t** w*il* "R*m*m**r M*" w*s **tiv* r*t*in t**ir *xt*n*** s*ssion li**tim* until t**y *xpir*,

Reasoning

T** vuln*r**ility **s*ri*** is * lo*i* *l*w in K*y*lo*k's s*ssion m*n***m*nt, w**r* *is**lin* t** "R*m*m**r M*" ***tur* *o*s not inv*li**t* *xistin* s*ssions t**t w*r* *r**t** wit* it. T*is *llows t*os* s*ssions to p*rsist lon**r t**n t** **ministr*t