Keycloak, Hostname Verification Bypass, CVE-2025-XXXX (High)

How the CVE Works

The vulnerability (CVE-2025-XXXX) in Keycloak arises when the hostname verification policy is set to ‘ALL’, which inadvertently disables trust store certificate validation. This misconfiguration allows attackers to bypass TLS/SSL certificate verification, enabling Man-in-the-Middle (MitM) attacks. When Keycloak fails to validate the server’s hostname against the certificate, malicious actors can intercept and modify communications between clients and the Keycloak server. The flaw stems from improper handling of the `X509ExtendedTrustManager` implementation, where the `checkServerTrusted` method does not enforce hostname checks when the policy is set to ALL.

DailyCVE Form

Platform: Keycloak
Version: Affects v21.0.0 – v22.1.1
Vulnerability: Hostname verification bypass
Severity: High
Date: 2025-04-29

What Undercode Say:

Exploitation Analysis

• Attackers can spoof Keycloak endpoints by presenting a self-signed or mismatched certificate.
• Exploitable via DNS poisoning or rogue proxy setups.
• Impacts OAuth2/OpenID Connect token exchanges.

Detection Commands

Check Keycloak config for hostname verification policy
grep -r "hostname-verification-policy" /etc/keycloak/
Verify running Keycloak version
curl -s http://localhost:8080/auth/realms/master | grep "Keycloak Version"

Exploit Code (PoC)

// Bypass hostname verification in a custom TrustManager
TrustManager[] trustAll = new TrustManager[]{
new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] chain, String authType) {}
public void checkServerTrusted(X509Certificate[] chain, String authType) {}
public X509Certificate[] getAcceptedIssuers() { return null; }
}
};
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAll, new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

Mitigation Steps

1. Update Keycloak to v22.1.2 or later.

2. Enforce `STRICT` hostname verification:

{
"ssl-required": "ALL",
"hostname-verification-policy": "STRICT"
}

3. Network Controls:

Block unauthorized outbound TLS traffic
iptables -A OUTPUT -p tcp --dport 8443 -j DROP

Log Monitoring

Audit Keycloak logs for invalid certs
tail -f /var/log/keycloak/server.log | grep "CertificateException"

References

• NVD Entry
• Keycloak Patch GHSA-hw58-3793-42gg

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram