Duplicate Advisory: Keycloak allows Binding to an Unrestricted IP Address

GHSA-7m9g-pmxf-m9m8

Published Nov 13, 2025 · Modified Feb 4, 2026

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-j4vq-q93m-4683. This link is maintained to preserve external references.

Original Description

A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug ) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-11538
WEB https://github.com/keycloak/keycloak/pull/43574
WEB https://github.com/keycloak/keycloak/commit/9e98f2bf961f68853cea6fbec58b512ed8be7ca9
WEB https://access.redhat.com/errata/RHSA-2025:21370
WEB https://access.redhat.com/errata/RHSA-2025:21371
WEB https://access.redhat.com/security/cve/CVE-2025-11538
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2402622
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes