6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-12390

GHSA ID

GHSA-rg35-5v25-mqvp

EPSS Score

0.01055%

CWE

CWE-384

Published

10/28/2025

Updated

10/29/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-12390

CVE-2025-12390: Keycloak vulnerable to session takeovers due to reuse of session identifiers

A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.

(GitHub Advisory)

6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-12390

GHSA ID

GHSA-rg35-5v25-mqvp

EPSS Score

0.01055%

CWE

CWE-384

Published

10/28/2025

Updated

10/29/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.keycloak:keycloak-services	maven	<= 26.4.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

I have analyzed the vulnerability details for CVE-2025-12390 in Keycloak. The vulnerability is a session fixation issue where a user can accidentally gain access to another user's session due to the reuse of session identifiers during logout, especially when browser cookies are missing.

Based on the information from the Red Hat Bugzilla entry (2406793), the vulnerability is located in org.keycloak.protocol.oidc.endpoints.LogoutEndpoint. The bug report is titled "org.keycloak.protocol.oidc.endpoints.LogoutEndpoint: Offline Session takeover due to reused Authentication Session ID". This strongly indicates that the LogoutEndpoint class is responsible for handling the logout process and is the location of the flaw.

However, I was unable to find a specific commit or patch that fixes this vulnerability. The bugzilla status is "NEW", and there is no patched version mentioned in the advisory. This suggests that a patch may not be public yet.

Without a patch, I cannot definitively identify the exact vulnerable functions and provide code-level evidence. The vulnerability description and the bugzilla title point to the LogoutEndpoint class, but without seeing the code changes, it's impossible to pinpoint the specific methods involved in the session reuse logic.

Therefore, I cannot provide a confident analysis of the vulnerable functions at this time.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in K*y*lo*k. In K*y*lo*k w**r* * us*r **n ***i**nt*lly **t ****ss to *not**r us*r's s*ssion i* *ot* us* t** s*m* **vi** *n* *rows*r. T*is **pp*ns ****us* K*y*lo*k som*tim*s r*us*s s*ssion i**nti*i*rs *n* *o*sn’t *l**n up prop*rly *ur

Reasoning

I **v* *n*lyz** t** vuln*r**ility **t*ils *or *V*-****-***** in K*y*lo*k. T** vuln*r**ility is * s*ssion *ix*tion issu* w**r* * us*r **n ***i**nt*lly **in ****ss to *not**r us*r's s*ssion *u* to t** r*us* o* s*ssion i**nti*i*rs *urin* lo*out, *sp**i*

6

Basic Information

Concerned about an active attack path?

CVE-2025-12390: Keycloak vulnerable to session takeovers due to reuse of session identifiers

6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI