CVE-2024-10039: Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination

November 25, 2024 (updated January 30, 2025)

A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism.

References

github.com/advisories/GHSA-93ww-43rr-79v3
github.com/keycloak/keycloak
github.com/keycloak/keycloak/issues/35217
github.com/keycloak/keycloak/security/advisories/GHSA-93ww-43rr-79v3
nvd.nist.gov/vuln/detail/CVE-2024-10039

Code Behaviors & Features

Detect and mitigate CVE-2024-10039 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →