Headline
GHSA-q8hq-4h99-fj7x: Keycloak TLS Client-Initiated Renegotiation Denial of Service
Keycloak is vulnerable to a Denial of Service (DoS) attack due to the default JDK setting that permits Client-Initiated Renegotiation in TLS 1.2. An unauthenticated remote attacker can repeatedly initiate TLS renegotiation requests to exhaust server CPU resources, making the service unavailable. Immediate mitigation is available by setting the -Djdk.tls.rejectClientInitiatedRenegotiation=true Java system property in the Keycloak startup configuration.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-11419
Keycloak TLS Client-Initiated Renegotiation Denial of Service
High severity GitHub Reviewed Published Oct 27, 2025 in keycloak/keycloak • Updated Oct 27, 2025
Package
maven org.keycloak:keycloak-quarkus-dist (Maven)
Affected versions
< 26.0.16
>= 26.1.0, < 26.2.10
>= 26.3.0, < 26.4.1
Patched versions
26.0.16
26.2.10
26.4.1
Keycloak is vulnerable to a Denial of Service (DoS) attack due to the default JDK setting that permits Client-Initiated Renegotiation in TLS 1.2. An unauthenticated remote attacker can repeatedly initiate TLS renegotiation requests to exhaust server CPU resources, making the service unavailable. Immediate mitigation is available by setting the -Djdk.tls.rejectClientInitiatedRenegotiation=true Java system property in the Keycloak startup configuration.
References
- GHSA-q8hq-4h99-fj7x
Published to the GitHub Advisory Database
Oct 27, 2025
Last updated
Oct 27, 2025