CVE-2025-11538: Keycloak allows Binding to an Unrestricted IP Address

November 13, 2025 (updated November 14, 2025)

A vulnerability exists in Keycloak’s server distribution where enabling debug mode (–debug ) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.

References

access.redhat.com/errata/RHSA-2025:21370
access.redhat.com/errata/RHSA-2025:21371
access.redhat.com/security/cve/CVE-2025-11538
bugzilla.redhat.com/show_bug.cgi?id=2402622
github.com/advisories/GHSA-7m9g-pmxf-m9m8
github.com/keycloak/keycloak
nvd.nist.gov/vuln/detail/CVE-2025-11538

Code Behaviors & Features

Detect and mitigate CVE-2025-11538 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →