Keycloak Session Fixation CVE-2025-XXXX (Moderate)

By /

Listen to this Post

How the mentioned CVE works:

This CVE is caused by a flaw in Keycloak’s session management where the session identifier is reused for a new authentication event under specific conditions. When a user logs out without a specific browser cookie present, the server-side session is not properly invalidated. If a subsequent user authenticates from the same device and browser, the application may erroneously attach the previous, still-valid session identifier to the new user’s session. This results in the new user receiving OAuth tokens, such as the access token and refresh token, that are still associated with the original user’s account and privileges, effectively allowing a session takeover.
Platform: Keycloak
Version: (Affected versions)
Vulnerability : Session Fixation
Severity: Moderate
date: 2024-10-28

Prediction: 2024-11-18

What Undercode Say:

Check for active sessions in a realm
curl -s -H "Authorization: Bearer $ACCESS_TOKEN" "$KEYCLOAK_URL/admin/realms/$REALM/sessions"
Force logout a specific session
curl -X DELETE -H "Authorization: Bearer $ACCESS_TOKEN" "$KEYCLOAK_URL/admin/realmas/$REALM/sessions/$SESSION_ID"

// Code snippet illustrating potential session validation logic
if (userSession != null && userSession.isActive()) {
// Grant tokens
} else {
// Invalidate session and require re-authentication
}

How Exploit:

  1. User A logs into an application via Keycloak.
  2. User A clears browser cookies or uses a specific browser state.
  3. User A performs a logout. The server-side session persists.
  4. User B uses the same browser on the same device to log in.
  5. Keycloak reuses the old session ID, giving User B User A’s tokens.

Protection from this CVE:

Apply the vendor patch when available. As a temporary mitigation, ensure clients properly clear local storage and cookies upon logout. Administrators can consider configuring shorter server-side session lifespans.

Impact:

Session Hijacking, Privilege Escalation, Unauthorized Data Access.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top