{
  "threat_severity" : "Moderate",
  "public_date" : "2025-03-20T00:00:00Z",
  "bugzilla" : {
    "description" : "org.keycloak/keycloak-services: JWT Token Cache Exhaustion Leading to Denial of Service (DoS) in Keycloak",
    "id" : "2353868",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2353868"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.9",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-770",
  "details" : [ "A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system.", "A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Build of Keycloak",
    "release_date" : "2025-04-29T00:00:00Z",
    "advisory" : "RHSA-2025:4336",
    "cpe" : "cpe:/a:redhat:build_keycloak:26",
    "package" : "keycloak-services"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.0",
    "release_date" : "2025-04-29T00:00:00Z",
    "advisory" : "RHSA-2025:4335",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.0::el9",
    "package" : "rhbk/keycloak-operator-bundle:26.0.11-2"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.0",
    "release_date" : "2025-04-29T00:00:00Z",
    "advisory" : "RHSA-2025:4335",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.0::el9",
    "package" : "rhbk/keycloak-rhel9:26.0-12"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.0",
    "release_date" : "2025-04-29T00:00:00Z",
    "advisory" : "RHSA-2025:4335",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.0::el9",
    "package" : "rhbk/keycloak-rhel9-operator:26.0-13"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Fix deferred",
    "package_name" : "keycloak-services",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-2559\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-2559" ],
  "name" : "CVE-2025-2559",
  "csaw" : false
}