CVE-2025-2559 is a vulnerability identified in the Red Hat Build of Keycloak, a widely used open-source identity and access management solution. The issue stems from the way Keycloak handles JWT (JSON Web Token) authentication tokens when configured to cache them until their expiration. If clients use JWT tokens with excessively long expiration periods—such as 24 or 48 hours—the token cache grows without bounds, as tokens remain stored until they expire. This unbounded cache growth consumes increasing amounts of memory, eventually triggering an OutOfMemoryError in the Keycloak server. The resulting failure causes a denial of service (DoS), preventing legitimate users from authenticating and accessing protected resources. The vulnerability requires that an attacker be authenticated to submit JWT tokens but does not require any user interaction beyond that. The CVSS 3.1 score of 4.9 reflects a medium severity rating, emphasizing the impact on availability without affecting confidentiality or integrity. No known exploits have been reported in the wild, but the flaw poses a risk to environments with high authentication loads and long-lived JWT tokens. The affected versions are from 23.0.0 through 26.1.0, and the issue was published on March 25, 2025. Because Keycloak is often deployed in enterprise and government environments for centralized authentication, this vulnerability could disrupt critical services if exploited.

For European organizations, the impact of CVE-2025-2559 can be significant, particularly for those relying heavily on Keycloak for identity and access management across cloud and on-premises infrastructures. The denial of service caused by memory exhaustion can lead to service outages, preventing users from authenticating and accessing essential applications and services. This disruption can affect business continuity, especially in sectors like finance, healthcare, and government where Keycloak is commonly used. The vulnerability does not compromise data confidentiality or integrity, but the loss of availability can result in operational downtime, financial losses, and reputational damage. Organizations with high user concurrency and configurations allowing long JWT token lifetimes are at greater risk. Additionally, the requirement for authenticated access to exploit the flaw somewhat limits the attack surface but does not eliminate the threat, as insider threats or compromised credentials could be leveraged. The absence of known exploits in the wild provides some time for organizations to implement mitigations proactively.

To mitigate CVE-2025-2559, European organizations should take several specific steps beyond generic security hygiene: 1) Review and enforce strict limits on JWT token expiration times, avoiding excessively long lifetimes (e.g., limit tokens to a few hours rather than days). 2) Configure Keycloak or the underlying caching mechanism to impose maximum cache sizes or implement eviction policies to prevent unbounded growth. 3) Monitor Keycloak server memory usage and set up alerts for abnormal increases that could indicate exploitation attempts. 4) Apply any patches or updates released by Red Hat promptly once available, as these will likely address the caching behavior directly. 5) Conduct regular audits of authentication logs to detect unusual patterns of token issuance or usage that might signal abuse. 6) Consider implementing rate limiting on authentication requests to reduce the risk of cache exhaustion. 7) Educate administrators and developers about secure token management practices to avoid configurations that enable this vulnerability. 8) If possible, deploy Keycloak in a high-availability setup to minimize service disruption in case of a DoS event.