CVE-2025-2559 is a medium-severity vulnerability affecting Red Hat Build of Keycloak versions 23.0.0 through 26.1.0. The flaw arises from the way Keycloak handles JWT tokens when configured for authentication. Specifically, JWT tokens are cached until their expiration time to optimize authentication performance. However, if a client uses JWT tokens with excessively long expiration times (e.g., 24 to 48 hours), the cache can grow without bounds because tokens remain stored until they expire. This unchecked growth can lead to an OutOfMemoryError in the Keycloak server, effectively causing a denial of service (DoS) condition. The DoS prevents legitimate users from accessing authentication services, disrupting dependent applications and services. The vulnerability requires network access (AV:N) and low attack complexity (AC:L), but does require high privileges (PR:H) to exploit, and no user interaction is needed (UI:N). The impact is limited to availability (A:H), with no confidentiality or integrity impact. There are no known exploits in the wild at this time, and no patches are linked yet. The root cause is the lack of limits or throttling on resource allocation related to token caching, which is a classic resource exhaustion issue. This vulnerability highlights the risks of relying on long-lived JWT tokens without proper cache management or token expiration policies.

For European organizations using Red Hat Build of Keycloak for identity and access management, this vulnerability poses a risk of service disruption. Keycloak is widely used in enterprise environments for single sign-on (SSO) and authentication services. An OutOfMemoryError triggered by unbounded token caching can cause authentication services to become unavailable, leading to denial of service for internal users and customers. This can impact business continuity, especially for organizations with critical online services or regulatory compliance requirements such as GDPR, where availability of authentication services is essential. The disruption could affect sectors like finance, healthcare, government, and telecommunications, where Keycloak is commonly deployed. Additionally, the vulnerability could be exploited internally by privileged users or compromised accounts to degrade service availability. Although exploitation requires high privileges, insider threats or compromised administrative credentials could leverage this flaw. The lack of confidentiality or integrity impact reduces risks of data breaches, but service outages could still cause reputational damage and operational losses.

To mitigate CVE-2025-2559, European organizations should implement the following specific measures: 1) Enforce strict token expiration policies by limiting JWT token lifetimes to short durations (e.g., minutes to a few hours) to prevent cache growth. 2) Monitor Keycloak server memory usage and configure alerting for abnormal increases that could indicate cache bloat. 3) Implement cache size limits or eviction policies if configurable, to prevent unbounded growth. 4) Restrict issuance of long-lived tokens to only trusted clients or administrative users. 5) Regularly audit privileged accounts and their token usage to detect misuse. 6) Apply any available patches or updates from Red Hat promptly once released. 7) Consider deploying rate limiting or throttling on authentication requests to reduce risk of resource exhaustion. 8) Use Keycloak’s built-in metrics and logging to track token cache behavior and identify anomalies early. 9) Isolate Keycloak instances in environments with resource limits to contain impact. These steps go beyond generic advice by focusing on token lifecycle management, cache control, and monitoring tailored to this vulnerability’s root cause.