Keycloak Cert Trust Skip via VERIFICATION POLICY=ALL
CVE-2025-3501 Published on April 29, 2025

Org.keycloak.protocol.services: keycloak hostname verification
A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.

Github Repository Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-3501 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
LOW
Availability Impact:
NONE

Timeline

Reported to Red Hat.

Made public. 19 days later.

Weakness Type

Improper Validation of Certificate with Host Mismatch

The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host.


Products Associated with CVE-2025-3501

stack.watch emails you whenever new vulnerabilities are published in Red Hat Build Keycloak or Red Hat Single Sign On. Just hit a watch button to start following.

Red Hat Build Keycloak
 
Red Hat Single Sign On
 

Vulnerable Packages

The following package name and versions may be associated with CVE-2025-3501

Package Manager Vulnerable Package Versions Fixed In
maven org.keycloak:keycloak-services < 26.2.2 26.2.2

Exploit Probability

EPSS
0.09%
Percentile
25.99%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.