CVE-2025-11419

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description Keycloak is susceptible to a Denial of Service (DoS) attack. This is due to a default Java Development Kit (JDK) setting that allows Client-Initiated Renegotiation within the TLS 1.2 protocol. An attacker who does not need to be authenticated can send repeated TLS renegotiation requests. This can overwhelm the server's CPU, leading to service unavailability.

Recommendations Set the -Djdk.tls.rejectClientInitiatedRenegotiation=true Java system property in the Keycloak startup configuration.