GHSA-7m9g-pmxf-m9m8: Duplicate Advisory: Keycloak allows Binding to an Unrestricted IP Address

November 13, 2025 (updated December 2, 2025)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-j4vq-q93m-4683. This link is maintained to preserve external references.

Original Description

A vulnerability exists in Keycloak’s server distribution where enabling debug mode (–debug ) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.

References

Code Behaviors & Features

Detect and mitigate GHSA-7m9g-pmxf-m9m8 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →