CVE-2025-11419: Allocation of Resources Without Limits or Throttling
A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable.
AI Analysis
Technical Summary
This vulnerability in Keycloak involves the allocation of resources without limits or throttling during TLS 1.2 client-initiated renegotiation requests. An unauthenticated attacker can exploit this flaw to overwhelm the server's CPU, resulting in a denial of service. The issue affects multiple Keycloak versions and has been assigned a CVSS 3.1 score of 7.5 (high severity) with no confidentiality or integrity impact but high impact on availability. Red Hat has issued security advisories RHSA-2025:18254 and RHSA-2025:18255 providing updated Keycloak 26.0.16 images and packages that fix this vulnerability. Users should apply these updates after backing up their environments.
Potential Impact
The vulnerability allows an unauthenticated remote attacker to cause a denial of service by exhausting CPU resources through repeated TLS renegotiation requests. This results in service unavailability but does not impact confidentiality or integrity of data. No known active exploits have been reported.
Mitigation Recommendations
Red Hat has released updated Keycloak 26.0.16 images and packages that address CVE-2025-11419. Users should back up their existing installations, including applications, configuration files, and databases, before applying these updates. Applying the official Red Hat updates is the recommended remediation. Patch status is confirmed as fixed by Red Hat advisories RHSA-2025:18254 and RHSA-2025:18255.
CVE-2025-11419: Allocation of Resources Without Limits or Throttling
Description
A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Keycloak involves the allocation of resources without limits or throttling during TLS 1.2 client-initiated renegotiation requests. An unauthenticated attacker can exploit this flaw to overwhelm the server's CPU, resulting in a denial of service. The issue affects multiple Keycloak versions and has been assigned a CVSS 3.1 score of 7.5 (high severity) with no confidentiality or integrity impact but high impact on availability. Red Hat has issued security advisories RHSA-2025:18254 and RHSA-2025:18255 providing updated Keycloak 26.0.16 images and packages that fix this vulnerability. Users should apply these updates after backing up their environments.
Potential Impact
The vulnerability allows an unauthenticated remote attacker to cause a denial of service by exhausting CPU resources through repeated TLS renegotiation requests. This results in service unavailability but does not impact confidentiality or integrity of data. No known active exploits have been reported.
Mitigation Recommendations
Red Hat has released updated Keycloak 26.0.16 images and packages that address CVE-2025-11419. Users should back up their existing installations, including applications, configuration files, and databases, before applying these updates. Applying the official Red Hat updates is the recommended remediation. Patch status is confirmed as fixed by Red Hat advisories RHSA-2025:18254 and RHSA-2025:18255.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2025-10-07T11:19:18.134Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/errata/RHSA-2025:18254","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:18255","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:18889","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:18890","vendor":"Red Hat"},{"url":"https://access.redhat.com/security/cve/CVE-2025-11419","vendor":"Red Hat"}]
Threat ID: 694aff404eddf7475af4bf8b
Added to database: 12/23/2025, 8:44:48 PM
Last enriched: 4/21/2026, 5:42:04 AM
Last updated: 5/10/2026, 8:02:38 AM
Views: 235
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.