GHSA-7m9g-pmxf-m9m8

Source

https://github.com/advisories/GHSA-7m9g-pmxf-m9m8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-7m9g-pmxf-m9m8/GHSA-7m9g-pmxf-m9m8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7m9g-pmxf-m9m8

Aliases

CVE-2025-11538

Downstream

MINI-49pv-8q97-2chg

MINI-7fc6-jqc2-gp69

Published

2025-11-13T18:31:05Z

Modified

2025-11-14T01:00:31.773574Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Keycloak allows Binding to an Unrestricted IP Address

Details

A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.

Database specific

{
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-1327"
    ],
    "nvd_published_at": "2025-11-13T17:15:44Z",
    "github_reviewed_at": "2025-11-13T23:41:01Z"
}

References

Affected packages

Maven / org.keycloak:keycloak-quarkus-server

Package

Name: org.keycloak:keycloak-quarkus-server; View open source insights on deps.dev
Purl: pkg:maven/org.keycloak/keycloak-quarkus-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

26.4.4

Affected versions

12.*

12.0.0

12.0.1

12.0.2

12.0.3

12.0.4

13.*

13.0.0

13.0.1

14.*

14.0.0

15.*

15.0.0

15.0.1

15.0.2

15.1.0

15.1.1

16.*

16.0.0

16.1.0

16.1.1

17.*

17.0.0

17.0.1

18.*

18.0.0

18.0.1

18.0.2

19.*

19.0.0

19.0.1

19.0.2

19.0.3

20.*

20.0.0

20.0.1

20.0.2

20.0.3

20.0.4

20.0.5

21.*

21.0.0

21.0.1

21.0.2

21.1.0

21.1.1

21.1.2

22.*

22.0.0

22.0.1

22.0.2

22.0.3

22.0.4

22.0.5

23.*

23.0.0

23.0.1

23.0.2

23.0.3

23.0.4

23.0.5

23.0.6

23.0.7

24.*

24.0.0

24.0.1

24.0.2

24.0.3

24.0.4

24.0.5

25.*

25.0.0

25.0.1

25.0.2

25.0.3

25.0.4

25.0.5

25.0.6

26.*

26.0.0

26.0.1

26.0.2

26.0.4

26.0.5

26.0.6

26.0.7

26.0.8

26.1.0

26.1.1

26.1.2

26.1.3

26.1.4

26.1.5

26.2.0

26.2.1

26.2.2

26.2.3

26.2.4

26.2.5

26.3.0

26.3.1

26.3.2

26.3.3

26.3.4

26.3.5

26.4.0

26.4.1

26.4.2

26.4.3

26.4.4