CVE-2025-11429
- Source
- https://cve.org/CVERecord?id=CVE-2025-11429
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11429.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-11429
- Aliases
- Downstream
- Related
- Published
- 2025-10-23T14:15:35.430Z
- Modified
- 2026-02-20T02:39:23.448680Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.
- References
-
- https://access.redhat.com/security/cve/CVE-2025-11429
- https://access.redhat.com/errata/RHSA-2025:22088
- https://access.redhat.com/errata/RHSA-2025:22089
- https://bugzilla.redhat.com/show_bug.cgi?id=2402148
- https://github.com/keycloak/keycloak/issues/43328
- https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d
- https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b
Affected packages
Git / github.com/keycloak/keycloak
Affected ranges
- Type
- GIT
- Repo
- https://github.com/keycloak/keycloak
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.0-alpha-1
1.0-alpha-1-12062013
1.0-alpha-2
1.0-alpha-3
1.0-beta-1
1.0-beta-2
1.0-beta-4
1.0-final
1.0-rc-1
1.0.0.Final
1.1.0.Beta2
1.3.0.Final
2.*
2.4.0.Test
Database specific
vanir_signatures
[
{
"id": "CVE-2025-11429-02baa7e0",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d",
"target": {
"function": "loginWithRememberMeNotSet",
"file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java"
},
"digest": {
"length": 822.0,
"function_hash": "234301669910420344669300019408076880059"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-11429-0657a18a",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d",
"target": {
"file": "services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"154515833657402281243392880763199458259",
"89310983751515894415561796719727695675",
"153928088074938343102378077521225306507",
"301183636659948388928640721248693664511"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2025-11429-0d5a1575",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d",
"target": {
"function": "loginInvalidPassword",
"file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java"
},
"digest": {
"length": 593.0,
"function_hash": "333793313592922863567419199717103710740"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-11429-1aa5d8c1",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b",
"target": {
"file": "services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"154515833657402281243392880763199458259",
"89310983751515894415561796719727695675",
"153928088074938343102378077521225306507",
"301183636659948388928640721248693664511"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2025-11429-2b967f95",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d",
"target": {
"function": "testIsSessionValid",
"file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/session/SessionTimeoutValidationTest.java"
},
"digest": {
"length": 773.0,
"function_hash": "267298425122519584223185772816987892446"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-11429-325fbdb7",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b",
"target": {
"function": "loginWithRememberMeNotSet",
"file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java"
},
"digest": {
"length": 822.0,
"function_hash": "234301669910420344669300019408076880059"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-11429-32a54d0a",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b",
"target": {
"function": "testIsSessionValid",
"file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/session/SessionTimeoutValidationTest.java"
},
"digest": {
"length": 773.0,
"function_hash": "267298425122519584223185772816987892446"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-11429-3fd59963",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b",
"target": {
"function": "isSessionValid",
"file": "services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java"
},
"digest": {
"length": 986.0,
"function_hash": "192386972873631548264487000598415385096"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-11429-401dab73",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d",
"target": {
"file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/session/SessionTimeoutValidationTest.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"291452417559778165910132463032273730791",
"187724332398706564356744562471584618004",
"282406326683738813391515780422729465870",
"39825241590660147101307069748703465974"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2025-11429-5a785a58",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d",
"target": {
"function": "loginChangeUserAfterInvalidPassword",
"file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java"
},
"digest": {
"length": 912.0,
"function_hash": "199400447647422796723186355504261577214"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-11429-5ea1192c",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b",
"target": {
"function": "openLoginFormAfterExpiredCode",
"file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java"
},
"digest": {
"length": 434.0,
"function_hash": "267173994945583671047180015076358991131"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-11429-5fb6db24",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d",
"target": {
"function": "openLoginFormAfterExpiredCode",
"file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java"
},
"digest": {
"length": 434.0,
"function_hash": "267173994945583671047180015076358991131"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-11429-6d4a7c32",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b",
"target": {
"function": "loginMissingPassword",
"file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java"
},
"digest": {
"length": 581.0,
"function_hash": "255908501567918932106583025363169698504"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-11429-a84b1983",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d",
"target": {
"function": "isSessionValid",
"file": "services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java"
},
"digest": {
"length": 986.0,
"function_hash": "192386972873631548264487000598415385096"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-11429-b69cca13",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b",
"target": {
"function": "loginInvalidPassword",
"file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java"
},
"digest": {
"length": 593.0,
"function_hash": "333793313592922863567419199717103710740"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-11429-b72cb40d",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d",
"target": {
"function": "testBrowserSecurityHeaders",
"file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java"
},
"digest": {
"length": 559.0,
"function_hash": "110562365711438166114024866183481294833"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-11429-c765bfd6",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b",
"target": {
"function": "loginChangeUserAfterInvalidPassword",
"file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java"
},
"digest": {
"length": 912.0,
"function_hash": "199400447647422796723186355504261577214"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-11429-cbc4a341",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b",
"target": {
"function": "testBrowserSecurityHeaders",
"file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java"
},
"digest": {
"length": 559.0,
"function_hash": "110562365711438166114024866183481294833"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-11429-d451b450",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b",
"target": {
"file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"117007691547487645160773990311266264094",
"22589362958445348333653881614481515735",
"235809547699882741802167598660849107190",
"258222390043779633319418900598372889685",
"269129811589551872720720144725795991054",
"256308953912924491983075504581509927346",
"159105652989072314446206601684598207667",
"82125783591614318933206165780858297053",
"80057189055825560687252162939653457202",
"55248886990484540171162638494490297994",
"144949404262521769330166495210669390996",
"198572797546754813388273736445289496628",
"167790205419003455337996815190735539437",
"282708474137487137801679837230717348216",
"295204119824879269588531715467754671632",
"206404320148432713791012424920486637102",
"69016036091865206271908473502162029880",
"313167286619314108878378947880341509507",
"21160964178637240915799560771751635494",
"224441840593905453430323145410795872467",
"69016036091865206271908473502162029880",
"313167286619314108878378947880341509507",
"21160964178637240915799560771751635494",
"224441840593905453430323145410795872467",
"155910439007339673530271406374798409661",
"187591891515724062520611284116091946372",
"328516815526922104311430180592497577987",
"181106000569484530473237767705205064165",
"140367472544979430288733962214248610248",
"182860258414926899715772760728157463562",
"2264569172956432334840905512698859986",
"285723915622406392473852862329221017001",
"143078064608005429170637684295687095030",
"33420259641789646995959377076889573402",
"191201247062667281514461108362595730705"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2025-11429-ed387397",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b",
"target": {
"file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/session/SessionTimeoutValidationTest.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"291452417559778165910132463032273730791",
"187724332398706564356744562471584618004",
"282406326683738813391515780422729465870",
"39825241590660147101307069748703465974"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2025-11429-ee37500f",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d",
"target": {
"file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"117007691547487645160773990311266264094",
"22589362958445348333653881614481515735",
"235809547699882741802167598660849107190",
"258222390043779633319418900598372889685",
"269129811589551872720720144725795991054",
"256308953912924491983075504581509927346",
"159105652989072314446206601684598207667",
"82125783591614318933206165780858297053",
"80057189055825560687252162939653457202",
"55248886990484540171162638494490297994",
"144949404262521769330166495210669390996",
"198572797546754813388273736445289496628",
"167790205419003455337996815190735539437",
"282708474137487137801679837230717348216",
"295204119824879269588531715467754671632",
"206404320148432713791012424920486637102",
"69016036091865206271908473502162029880",
"313167286619314108878378947880341509507",
"21160964178637240915799560771751635494",
"224441840593905453430323145410795872467",
"69016036091865206271908473502162029880",
"313167286619314108878378947880341509507",
"21160964178637240915799560771751635494",
"224441840593905453430323145410795872467",
"155910439007339673530271406374798409661",
"187591891515724062520611284116091946372",
"328516815526922104311430180592497577987",
"181106000569484530473237767705205064165",
"140367472544979430288733962214248610248",
"182860258414926899715772760728157463562",
"2264569172956432334840905512698859986",
"285723915622406392473852862329221017001",
"143078064608005429170637684295687095030",
"33420259641789646995959377076889573402",
"191201247062667281514461108362595730705"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2025-11429-ef6c704e",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d",
"target": {
"function": "loginMissingPassword",
"file": "testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java"
},
"digest": {
"length": 581.0,
"function_hash": "255908501567918932106583025363169698504"
},
"signature_type": "Function"
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11429.json"