Insufficient Session Expiration in org.keycloak:keycloak-services | CVE-2025-11429

Q: How to fix?

There is no fixed version for org.keycloak:keycloak-services .

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Insufficient Session Expiration vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-JAVA-ORGKEYCLOAK-13517526
published10 Oct 2025
disclosed7 Oct 2025
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 7 Oct 2025

NewCVE-2025-11429 (opens in a new tab) CWE-613 (opens in a new tab)

How to fix?

There is no fixed version for org.keycloak:keycloak-services.

Overview

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insufficient Session Expiration in the "Remember Me" realm setting. An attacker with a long-lived "Remember Me" session (e.g., stole the identity cookie) can maintain access for the full original remember-me lifetime to gain unauthorized access to sensitive information or perform actions as another user.

PoC

Steps to reproduce:

Enable "remember me" in realm settings;
Login in account console checking the "remember me" checkbox;
Disable "remember me" in realm settings;
Refresh the account console, the session is still valid.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
Low
Integrity (SI)
Low
Availability (SA)
None

Insufficient Session Expiration Affecting org.keycloak:keycloak-services package, versions [0,]

Severity