CVE-2025-11429
BaseFortify
Publication date: 2025-10-23
Last updated on: 2025-11-28
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keycloak | keycloak | 3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Keycloak involves a session management logic flaw with the "Remember Me" feature. When an administrator disables "Remember Me" at the realm level, existing user sessions created while it was enabled continue to have extended lifetimes until they expire naturally. This happens because the session expiration logic only checks the session-local "remember-me" flag and does not revalidate the current realm-level setting. Consequently, the system does not immediately enforce the disabling of "Remember Me" on active sessions, allowing long-lived sessions to persist beyond the administrator's security changes, increasing the risk of session hijacking or unauthorized long-term access. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers who have previously compromised a "Remember Me" session (for example, by stealing the identity cookie) to maintain unauthorized access for the full original session duration, even after the "Remember Me" feature has been disabled by an administrator. This extended session lifetime increases the window of opportunity for session hijacking or unauthorized long-term access persistence, potentially compromising user accounts and sensitive data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves identifying active user sessions that were created while the 'Remember Me' feature was enabled and verifying if they retain extended session lifetimes despite the feature being disabled at the realm level. Since the flaw is in session management logic, you can inspect Keycloak session data or logs for sessions with the 'remember-me' flag set. Specific commands depend on your Keycloak setup, but generally, you can query the Keycloak database or use the Keycloak Admin REST API to list active sessions and check their attributes. For example, using the Keycloak Admin CLI or REST API, you can list sessions and filter for those with the 'remember-me' flag still active. Additionally, monitoring network traffic for long-lived session cookies might help identify potentially affected sessions. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include invalidating or terminating all existing user sessions that were created while the 'Remember Me' feature was enabled. This forces users to re-authenticate under the new security configuration. Administrators should disable the 'Remember Me' setting at the realm level and then perform a session revocation or logout of all active sessions to ensure no extended sessions persist. Applying any available patches or updates from Keycloak that address this issue is also recommended. [1]