Skip to main content
Version: 2.1.0

Known Issues

Vulnerabilities Highlighted by Amazon Inspector

CVE-2025-2559

Vulnerable package

  • org.keycloak:keycloak-services
  • org.keycloak:keycloak-services

Severity

  • MEDIUM

Description

  • A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system.

Mitigation

  • No fix available yet from Keycloak.

  • To work around, do the followings:

    • Don’t use excessively long expiration time, e.g., 24 or 48 hours for JWT token.
    • Use the default expiration settings.
      • The default expiration for Access Token is 5 minutes
      • The default expiration for Refresh Token is 30 minutes and default max session timing is 10 hours.

CVE-2024-9666

Vulnerable package

  • org.keycloak:keycloak-quarkus-server
  • org.keycloak:keycloak-quarkus-server

Severity

  • MEDIUM

Description

  • A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service. The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.

Mitigation

CVE-2024-4028

Vulnerable package

  • org.keycloak:keycloak-admin-ui
  • org.keycloak:keycloak-admin-ui

Severity

  • LOW

Description

  • A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack.

Mitigation

  • This vulnerability is considered to be of low risk as it required attacker to have privileged access to the Keycloak Admin Console and use a malicious payload as the permission while creating items (Resource and Permissions) from the Keycloak Admin Console.
  • It is highly recommended that the Keycloak Admin Console not to be expose to the Internet.
  • With IAMS, Resource and Permission are not created via Keycloak Admin Console. Instead it is created by IAMS Web Admin Console which doesn’t allow uploading of payload to create permission.

Enabling Content Security Policies for Keycloak Login Page

Keycloak imports and runs 2 scripts to improve the user experience across browsers - checkAuthSession and startSessionPolling from their "authChecker.js" file. At present, enabling stricter content security policies will disable these imported scripts from running, which disables the session polling feature. The repercussion of this is that users with multiple login pages open will not automatically poll and trigger a login when one page is logged in.

This is a known issue and is being tracked by Keycloak - https://github.com/keycloak/keycloak/issues/32123, this is expected to be supported in the next milestone.

CVE-2025-5889

Vulnerable package

  • brace-expansion

Severity

  • LOW

Description

  • The issue lies in the expand function (index.js), where an inefficient regular expression can be exploited, leading to Regular Expression Denial of Service (ReDoS). The vulnerability can be triggered via specially crafted input and may allow an attacker to cause significant slowdowns or application crashes.

Mitigation

  • This vulnerability is considered to be of low risk as the complexity of an attack is rather high and the exploitation is known to be difficult.
  • This issue is resolved in the following versions of brace-expansion:
    • 1.1.12
    • 2.0.2
    • 3.0.1
    • 4.0.1

Frontend Known Issues

Incorrect Toast Message After Deleting a Data Table Item

Description When an item is deleted via the row action in a data table, the toast message always shows a generic success message:

"User deleted successfully"

Instead, it should display a dynamic message that reflects the actual entity type, such as:

"[Entity Name] has been deleted successfully."

This can lead to confusion when managing different entity types (e.g., groups, roles, users) in shared table components.

Status: Open

White Flash Screen After Tenant Switch in Dark Mode

Description A white flash appears briefly during the tenant switch when the UI is in dark mode. This behavior disrupts the user experience and may be visually jarring.

Status: Open Workaround: None currently available.

Delete Button Unresponsive When Scope is Tied to a Resource

Description Attempting to delete a scope that is currently in use by a resource causes the confirmation dialog to remain open without error. The delete action is silently blocked but not communicated to the user.

Status: Open Workaround: Manually check if the scope is assigned before attempting to delete.