CVE-2025-3501

Org.keycloak.protocol.services: keycloak hostname verification

Description

A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.

Workaround:

Use the correct TLS configuration and avoid using "--tls-hostname-verifier=any".

Link	Tags
https://access.redhat.com/errata/RHSA-2025:4335	vendor advisory
https://access.redhat.com/errata/RHSA-2025:4336	vendor advisory
https://access.redhat.com/errata/RHSA-2025:8672	vendor advisory
https://access.redhat.com/errata/RHSA-2025:8690	vendor advisory
https://access.redhat.com/security/cve/CVE-2025-3501	vdb entry
https://bugzilla.redhat.com/show_bug.cgi?id=2358834	issue tracking

What is the severity of CVE-2025-3501?: CVE-2025-3501 has been scored as a high severity vulnerability.
How to fix CVE-2025-3501?: As a workaround for remediating CVE-2025-3501: Use the correct TLS configuration and avoid using "--tls-hostname-verifier=any".
Is CVE-2025-3501 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2025-3501 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-3501?: CVE-2025-3501 affects Red Hat Red Hat Build of Keycloak, Red Hat Red Hat build of Keycloak 26, Red Hat Red Hat build of Keycloak 26.0, Red Hat Red Hat build of Keycloak 26.0, Red Hat Red Hat build of Keycloak 26.0, Red Hat Red Hat build of Keycloak 26.2, Red Hat Red Hat build of Keycloak 26.2, Red Hat Red Hat build of Keycloak 26.2, Red Hat Red Hat Single Sign-On 7.