Keycloak-server: debug default bind address_CVE-2025-11538

6.8 / 10

MEDIUM

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.

Basic Information

ID CVE-2025-11538

Source redhat

Published Nov 13, 2025 at 16:47

Modified Nov 13, 2025 at 18:01

Affected Product

Vendor Red Hat

Product Red Hat Build of Keycloak

CWE Classification

CWE-1327

References

{
    "lastseen": "",
    "description": "A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.",
    "published": "2025-11-13T16:47:53.933Z",
    "modified": "2025-11-13T18:01:13.384Z",
    "type": "cve",
    "title": "Keycloak-server: debug default bind address",
    "source": "redhat",
    "references": "https://access.redhat.com/security/cve/CVE-2025-11538\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2402622",
    "id": "CVE-2025-11538",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1327"
    ],
    "cvelist": null,
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 6.8,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Red Hat Build of Keycloak",
    "version": "",
    "vendor": "Red Hat",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}