GHSA-j4vq-q93m-4683
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j4vq-q93m-4683
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-j4vq-q93m-4683/GHSA-j4vq-q93m-4683.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-j4vq-q93m-4683
- Aliases
-
- CVE-2025-11538
- Published
- 2025-12-02T00:35:03Z
- Modified
- 2025-12-02T01:29:45.510324Z
- Severity
-
- 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Keycloak has debug default bind address
- Details
-
A vulnerability exists in Keycloak's server distribution where enabling debug mode (
--debug) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.Red Hat evaluates this as a Moderate impact vulnerability due to the requirement of running debug mode and untrusted network. Also, for Red Hat Single Sign-On, this must as well be bound to 0.0.0.0 address, which is not recommended in production scenarios.
- Database specific
{ "severity": "MODERATE", "nvd_published_at": null, "github_reviewed_at": "2025-12-02T00:35:03Z", "github_reviewed": true, "cwe_ids": [ "CWE-1327" ] }- References
-
- https://github.com/keycloak/keycloak/security/advisories/GHSA-j4vq-q93m-4683
- https://nvd.nist.gov/vuln/detail/CVE-2025-11538
- https://access.redhat.com/errata/RHSA-2025:21370
- https://access.redhat.com/errata/RHSA-2025:21371
- https://access.redhat.com/security/cve/CVE-2025-11538
- https://bugzilla.redhat.com/show_bug.cgi?id=2402622
- https://github.com/keycloak/keycloak
Affected packages
Maven / org.keycloak:keycloak-quarkus-dist
Package
- Name
- org.keycloak:keycloak-quarkus-dist
- View open source insights on deps.dev
- Purl
- pkg:maven/org.keycloak/keycloak-quarkus-dist
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed26.4.4
Affected versions
17.*
17.0.0
17.0.1
18.*
18.0.0
18.0.1
18.0.2
19.*
19.0.0
19.0.1
19.0.2
19.0.3
20.*
20.0.0
20.0.1
20.0.2
20.0.3
20.0.5
21.*
21.0.0
21.0.1
21.0.2
21.1.0
21.1.1
21.1.2
22.*
22.0.0
22.0.1
22.0.2
22.0.3
22.0.4
22.0.5
23.*
23.0.0
23.0.1
23.0.2
23.0.3
23.0.4
23.0.5
23.0.6
23.0.7
24.*
24.0.0
24.0.1
24.0.2
24.0.3
24.0.4
24.0.5
25.*
25.0.0
25.0.1
25.0.2
25.0.3
25.0.4
25.0.5
25.0.6
26.*
26.0.0
26.0.1
26.0.2
26.0.4
26.0.5
26.0.6
26.0.7
26.0.8
26.1.0
26.1.1
26.1.2
26.1.3
26.1.4
26.1.5
26.2.0
26.2.1
26.2.2
26.2.3
26.2.4
26.2.5
26.3.0
26.3.1
26.3.2
26.3.3
26.3.4
26.3.5
26.4.0
26.4.1
26.4.2
26.4.3