CVE-2025-3501

🗓️ 29 Apr 2025 20:45:29Reported by redhatType

Flaw in Keycloak allows skipped trust store verification with 'ALL' policy setting.

Reporter	Title	Published	Views	Family All 28
Chainguard	CVE-2025-3501 vulnerabilities	5 May 202513:14	–	cgr
Circl	CVE-2025-3501	29 Apr 202521:13	–	circl
CNNVD	Keycloak 安全漏洞	29 Apr 202500:00	–	cnnvd
Cvelist	CVE-2025-3501 Org.keycloak.protocol.services: keycloak hostname verification	29 Apr 202520:45	–	cvelist
EUVD	EUVD-2025-12660	3 Oct 202520:07	–	euvd
EUVD	EUVD-2025-12746	3 Oct 202520:07	–	euvd
Github Security Blog	Keycloak hostname verification	30 Apr 202517:24	–	github
Github Security Blog	Duplicate Advisory: Keycloak hostname verification	29 Apr 202521:31	–	github
NCSC	Vulnerabilities fixed in Keycloak	6 May 202507:12	–	ncsc
NVD	CVE-2025-3501	29 Apr 202521:15	–	nvd

[
  {
    "versions": [
      {
        "status": "affected",
        "version": "25.0.0",
        "lessThan": "25.*",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "26.0.0",
        "lessThan": "26.0.11",
        "versionType": "semver"
      },
      {
        "status": "unknown",
        "version": "26.1.0",
        "lessThan": "26.1.*",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "26.2.0",
        "lessThan": "26.2.2",
        "versionType": "semver"
      }
    ],
    "packageName": "keycloak",
    "collectionURL": "https://www.keycloak.org/",
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Build of Keycloak",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "defaultStatus": "unaffected",
    "packageName": "keycloak",
    "cpes": [
      "cpe:/a:redhat:build_keycloak:26"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Keycloak 26",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:build_keycloak:26"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Keycloak 26.0",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "rhbk/keycloak-operator-bundle",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "26.0.11-2",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:build_keycloak:26.0::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Keycloak 26.0",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "rhbk/keycloak-rhel9",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "26.0-12",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:build_keycloak:26.0::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Keycloak 26.0",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "rhbk/keycloak-rhel9-operator",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "26.0-13",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:build_keycloak:26.0::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Keycloak 26.2",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "rhbk/keycloak-operator-bundle",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "26.2.5-1",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:build_keycloak:26.2::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Keycloak 26.2",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "rhbk/keycloak-rhel9",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "26.2-4",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:build_keycloak:26.2::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Keycloak 26.2",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "rhbk/keycloak-rhel9-operator",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "26.2-4",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:build_keycloak:26.2::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Single Sign-On 7",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "rh-sso7-keycloak",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:red_hat_single_sign_on:7"
    ]
  }
]

Source	Link
access	www.access.redhat.com/errata/RHSA-2025:4335
access	www.access.redhat.com/errata/RHSA-2025:8690
access	www.access.redhat.com/security/cve/CVE-2025-3501
github	www.github.com/keycloak/keycloak/issues/39350
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
github	www.github.com/keycloak/keycloak/pull/39366
access	www.access.redhat.com/errata/RHSA-2025:8672
access	www.access.redhat.com/errata/RHSA-2025:4336

17 Jun 2026 09:20Current

8.1High risk

Vulners AI Score8.1

CVSS 3.18.2

EPSS0.0037

SSVC

CWE-297

cve-2025-3501 keycloak trust store verification flaw