Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2025-11429

5.4 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

created 2 months, 3 weeks ago

Keycloak-server: too long and not settings compliant session

A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.

References

https://access.redhat.com/security/cve/CVE-2025-11429 vdb-entryx_refsource_REDHAT
RHBZ#2402148 x_refsource_REDHATissue-tracking
https://access.redhat.com/security/cve/CVE-2025-11429 vdb-entryx_refsource_REDHAT
RHBZ#2402148 x_refsource_REDHATissue-tracking
RHSA-2025:22088 vendor-advisoryx_refsource_REDHAT
RHSA-2025:22089 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2025-11429 vdb-entryx_refsource_REDHAT
RHBZ#2402148 x_refsource_REDHATissue-tracking
RHSA-2025:22088 vendor-advisoryx_refsource_REDHAT
RHSA-2025:22089 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2025-11429 vdb-entryx_refsource_REDHAT
RHBZ#2402148 x_refsource_REDHATissue-tracking
RHSA-2025:22088 vendor-advisoryx_refsource_REDHAT
RHSA-2025:22089 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2025-11429 vdb-entryx_refsource_REDHAT
RHBZ#2402148 x_refsource_REDHATissue-tracking
https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344…
https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79…
https://github.com/keycloak/keycloak/issues/43328
RHSA-2025:22088 vendor-advisoryx_refsource_REDHAT
RHSA-2025:22089 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2025-11429 vdb-entryx_refsource_REDHAT
RHBZ#2402148 x_refsource_REDHATissue-tracking
https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344…
https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79…
https://github.com/keycloak/keycloak/issues/43328

Affected products

keycloak

<26.4.1

rhbk/keycloak-rhel9

*

rhbk/keycloak-rhel9-operator

*

rhbk/keycloak-operator-bundle

*

Red Hat build of Keycloak 26.2.11

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

nixos-unstable 26.3.1
- nixpkgs-unstable 26.3.1
- nixos-unstable-small 26.3.1
nixos-25.11 26.4.7
- nixpkgs-25.11-darwin 26.4.7

pkgs.terraform-providers.keycloak

None

nixos-unstable 5.4.0
- nixpkgs-unstable 5.4.0
- nixos-unstable-small 5.4.0

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

nixos-unstable 4.0.0
- nixpkgs-unstable 4.0.0
- nixos-unstable-small 4.0.0
nixos-25.11 4.0.0
- nixpkgs-25.11-darwin 4.0.0

pkgs.python313Packages.python-keycloak

Provides access to the Keycloak API

nixos-unstable 4.0.0
- nixpkgs-unstable 4.0.0
- nixos-unstable-small 4.0.0
nixos-25.11 4.0.0
- nixpkgs-25.11-darwin 4.0.0

pkgs.terraform-providers.keycloak_keycloak

None

nixos-25.11 5.5.0
- nixpkgs-25.11-darwin 5.5.0

Package maintainers

@leona-ya Leona Maroni <nix@leona.is>
@ngerstle Nicholas Gerstle <ngerstle@gmail.com>
@talyz Kim Lindberger <kim.lindberger@gmail.com>
@NickCao Nick Cao <nickcao@nichi.co>