CVE-2025-11538: Keycloak has debug default bind address
A vulnerability exists in Keycloak’s server distribution where enabling debug mode (--debug) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.
Red Hat evaluates this as a Moderate impact vulnerability due to the requirement of running debug mode and untrusted network. Also, for Red Hat Single Sign-On, this must as well be bound to 0.0.0.0 address, which is not recommended in production scenarios.
References
- access.redhat.com/errata/RHSA-2025:21370
- access.redhat.com/errata/RHSA-2025:21371
- access.redhat.com/security/cve/CVE-2025-11538
- bugzilla.redhat.com/show_bug.cgi?id=2402622
- github.com/advisories/GHSA-j4vq-q93m-4683
- github.com/keycloak/keycloak
- github.com/keycloak/keycloak/security/advisories/GHSA-j4vq-q93m-4683
- nvd.nist.gov/vuln/detail/CVE-2025-11538
Code Behaviors & Features
Detect and mitigate CVE-2025-11538 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →