5.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-13467

GHSA ID

GHSA-93vm-mqpw-8wh3

EPSS Score

0.00042%

CWE

CWE-502

Published

11/25/2025

Updated

11/26/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-13467

CVE-2025-13467: Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-13467

CVE-2025-13467:

5.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-13467

GHSA ID

GHSA-93vm-mqpw-8wh3

EPSS Score

0.00042%

CWE

CWE-502

Published

11/25/2025

Updated

11/26/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.keycloak:keycloak-ldap-federation	maven	< 26.4.6	26.4.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic case of Deserialization of Untrusted Data (CWE-502) within the Keycloak LDAP User Federation provider. It occurs when an administrator configures Keycloak to use a malicious LDAP server that returns a JNDI referral. The JNDI framework, by default, can process these referrals in an unsafe way, potentially fetching and instantiating arbitrary Java objects from a remote location, which leads to Remote Code Execution (RCE).

The patch addresses this by introducing a security control that was previously missing. It does not modify a single vulnerable function but rather adds a new mechanism to secure the JNDI context.

The analysis of the patch commit 754c070cf8ca187dcc71f0f72ff3130ff2195328 reveals the following:

The LDAPStorageProviderFactory.init method, which is called when the LDAP provider is initialized, is modified to set up a secure JNDI environment. In vulnerable versions, this method did not perform this crucial setup, leaving the application in a vulnerable state.
A new class, ObjectFactoryBuilder, is introduced. Its purpose is to intercept the handling of JNDI referrals. The createObjectFactory method within this class inspects the referral Reference object.
The getLdapUrl helper method ensures that any URL within the referral is a safe LDAP URL (i.e., starts with ldap). If any other protocol is found, the referral is rejected, thus preventing the JNDI framework from accessing malicious remote endpoints.

Therefore, the vulnerability is caused by the absence of this validation logic. The identified functions are critical because init is where the security control should have been enabled, and createObjectFactory and getLdapUrl are the new functions that now process the potentially malicious input (the JNDI referral) securely.

Vulnerable functions

org.keycloak.storage.ldap.LDAPStorageProviderFactory.init

federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProviderFactory.java

This function is responsible for initializing the LDAP provider. In vulnerable versions, it failed to configure a secure JNDI ObjectFactoryBuilder, leaving the application vulnerable to deserialization of untrusted data from malicious LDAP referrals. The patch rectifies this by adding a call to `setObjectFactoryBuilder()` which installs a secure factory builder.

org.keycloak.storage.ldap.ObjectFactoryBuilder.createObjectFactory

federation/ldap/src/main/java/org/keycloak/storage/ldap/ObjectFactoryBuilder.java

This function, introduced in the patch, directly handles potentially malicious JNDI `Reference` objects returned by an LDAP server. The vulnerability existed because this logic was absent, causing Keycloak to use the default, insecure JNDI object factory which could lead to deserialization of arbitrary Java objects. This function intercepts the creation of object factories for referrals and validates them, throwing an exception if they are not secure LDAP URLs.

org.keycloak.storage.ldap.ObjectFactoryBuilder.getLdapUrl

federation/ldap/src/main/java/org/keycloak/storage/ldap/ObjectFactoryBuilder.java

This function contains the core validation logic of the security patch. It inspects the URL within a JNDI `Reference` and ensures it uses the `ldap://` or `ldaps://` protocol. The vulnerability was possible because, without this check, the JNDI provider could process dangerous URLs pointing to remote codebases (e.g., using RMI or IIOP), leading to untrusted deserialization.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-13467: Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization

CVE-2025-13467:

5.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

5.5

5.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2025-13467: Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI