Improper Validation of Certificate with Host Mismatch Affecting org.keycloak:keycloak-services package, versions [,26.2.2)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.02% (3rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGKEYCLOAK-9919788
  • published2 May 2025
  • disclosed30 Apr 2025
  • creditUnknown

Introduced: 30 Apr 2025

NewCVE-2025-3501  (opens in a new tab)
CWE-297  (opens in a new tab)

How to fix?

Upgrade org.keycloak:keycloak-services to version 26.2.2 or higher.

Overview

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch when setting the verification policy to 'ALL'. This is supposed to skip hostname check but an unintended side effect is skipping trust store certificate verification. An attacker can read sensitive data from the system and perform spoofing or redirection attacks by exploiting this vulnerability.

Note:

The ANY mode should not be used in production.

CVSS Base Scores

version 4.0
version 3.1