CVE-2025-11419: Keycloak TLS Client-Initiated Renegotiation Denial of Service

October 27, 2025

Keycloak is vulnerable to a Denial of Service (DoS) attack due to the default JDK setting that permits Client-Initiated Renegotiation in TLS 1.2. An unauthenticated remote attacker can repeatedly initiate TLS renegotiation requests to exhaust server CPU resources, making the service unavailable. Immediate mitigation is available by setting the -Djdk.tls.rejectClientInitiatedRenegotiation=true Java system property in the Keycloak startup configuration.

References

github.com/advisories/GHSA-q8hq-4h99-fj7x
github.com/keycloak/keycloak
github.com/keycloak/keycloak/security/advisories/GHSA-q8hq-4h99-fj7x
nvd.nist.gov/vuln/detail/CVE-2025-11419

Code Behaviors & Features

Detect and mitigate CVE-2025-11419 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →