{"id":"CVE-2025-11429","details":"A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the \"Remember Me\" realm setting on existing user sessions. Sessions created while \"Remember Me\" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local \"remember-me\" flag without validating the current realm-level configuration.","aliases":["GHSA-64w3-5q9m-68xf"],"modified":"2026-04-12T17:35:48.112666Z","published":"2025-10-23T14:15:35.430Z","related":["CGA-q7q8-2r2r-r8q5"],"references":[{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2025-11429"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:22088"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:22089"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2402148"},{"type":"REPORT","url":"https://github.com/keycloak/keycloak/issues/43328"},{"type":"FIX","url":"https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d"},{"type":"FIX","url":"https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/keycloak/keycloak","events":[{"introduced":"0"},{"fixed":"a34094100716b7c69ae38eaed6678ab4344d0a1d"}]},{"type":"GIT","repo":"https://github.com/keycloak/keycloak","events":[{"introduced":"0"},{"fixed":"bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b"}]}],"versions":["1.0-alpha-1","1.0-alpha-1-12062013","1.0-alpha-2","1.0-alpha-3","1.0-beta-1","1.0-beta-2","1.0-beta-4","1.0-final","1.0-rc-1","1.0.0.Final","1.1.0.Beta2","1.3.0.Final","2.4.0.Test"],"database_specific":{"vanir_signatures":[{"signature_type":"Function","source":"https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d","id":"CVE-2025-11429-02baa7e0","deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java","function":"loginWithRememberMeNotSet"},"digest":{"function_hash":"234301669910420344669300019408076880059","length":822},"signature_version":"v1"},{"signature_type":"Line","source":"https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d","id":"CVE-2025-11429-0657a18a","deprecated":false,"target":{"file":"services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java"},"digest":{"line_hashes":["154515833657402281243392880763199458259","89310983751515894415561796719727695675","153928088074938343102378077521225306507","301183636659948388928640721248693664511"],"threshold":0.9},"signature_version":"v1"},{"signature_type":"Function","source":"https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d","id":"CVE-2025-11429-0d5a1575","deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java","function":"loginInvalidPassword"},"digest":{"function_hash":"333793313592922863567419199717103710740","length":593},"signature_version":"v1"},{"signature_type":"Line","source":"https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b","id":"CVE-2025-11429-1aa5d8c1","deprecated":false,"target":{"file":"services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java"},"digest":{"line_hashes":["154515833657402281243392880763199458259","89310983751515894415561796719727695675","153928088074938343102378077521225306507","301183636659948388928640721248693664511"],"threshold":0.9},"signature_version":"v1"},{"signature_type":"Function","source":"https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d","id":"CVE-2025-11429-2b967f95","deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/session/SessionTimeoutValidationTest.java","function":"testIsSessionValid"},"digest":{"function_hash":"267298425122519584223185772816987892446","length":773},"signature_version":"v1"},{"signature_type":"Function","source":"https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b","id":"CVE-2025-11429-325fbdb7","deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java","function":"loginWithRememberMeNotSet"},"digest":{"function_hash":"234301669910420344669300019408076880059","length":822},"signature_version":"v1"},{"signature_type":"Function","source":"https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b","id":"CVE-2025-11429-32a54d0a","deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/session/SessionTimeoutValidationTest.java","function":"testIsSessionValid"},"digest":{"function_hash":"267298425122519584223185772816987892446","length":773},"signature_version":"v1"},{"signature_type":"Function","source":"https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b","id":"CVE-2025-11429-3fd59963","deprecated":false,"target":{"file":"services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java","function":"isSessionValid"},"digest":{"function_hash":"192386972873631548264487000598415385096","length":986},"signature_version":"v1"},{"signature_type":"Line","source":"https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d","id":"CVE-2025-11429-401dab73","deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/session/SessionTimeoutValidationTest.java"},"digest":{"line_hashes":["291452417559778165910132463032273730791","187724332398706564356744562471584618004","282406326683738813391515780422729465870","39825241590660147101307069748703465974"],"threshold":0.9},"signature_version":"v1"},{"signature_type":"Function","source":"https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d","id":"CVE-2025-11429-5a785a58","deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java","function":"loginChangeUserAfterInvalidPassword"},"digest":{"function_hash":"199400447647422796723186355504261577214","length":912},"signature_version":"v1"},{"signature_type":"Function","source":"https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b","id":"CVE-2025-11429-5ea1192c","deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java","function":"openLoginFormAfterExpiredCode"},"digest":{"function_hash":"267173994945583671047180015076358991131","length":434},"signature_version":"v1"},{"signature_type":"Function","source":"https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d","id":"CVE-2025-11429-5fb6db24","deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java","function":"openLoginFormAfterExpiredCode"},"digest":{"function_hash":"267173994945583671047180015076358991131","length":434},"signature_version":"v1"},{"signature_type":"Function","source":"https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b","id":"CVE-2025-11429-6d4a7c32","deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java","function":"loginMissingPassword"},"digest":{"function_hash":"255908501567918932106583025363169698504","length":581},"signature_version":"v1"},{"signature_type":"Function","source":"https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d","id":"CVE-2025-11429-a84b1983","deprecated":false,"target":{"file":"services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java","function":"isSessionValid"},"digest":{"function_hash":"192386972873631548264487000598415385096","length":986},"signature_version":"v1"},{"signature_type":"Function","source":"https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b","id":"CVE-2025-11429-b69cca13","deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java","function":"loginInvalidPassword"},"digest":{"function_hash":"333793313592922863567419199717103710740","length":593},"signature_version":"v1"},{"signature_type":"Function","source":"https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d","id":"CVE-2025-11429-b72cb40d","deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java","function":"testBrowserSecurityHeaders"},"digest":{"function_hash":"110562365711438166114024866183481294833","length":559},"signature_version":"v1"},{"signature_type":"Function","source":"https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b","id":"CVE-2025-11429-c765bfd6","deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java","function":"loginChangeUserAfterInvalidPassword"},"digest":{"function_hash":"199400447647422796723186355504261577214","length":912},"signature_version":"v1"},{"signature_type":"Function","source":"https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b","id":"CVE-2025-11429-cbc4a341","deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java","function":"testBrowserSecurityHeaders"},"digest":{"function_hash":"110562365711438166114024866183481294833","length":559},"signature_version":"v1"},{"signature_type":"Line","source":"https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b","id":"CVE-2025-11429-d451b450","deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java"},"digest":{"line_hashes":["117007691547487645160773990311266264094","22589362958445348333653881614481515735","235809547699882741802167598660849107190","258222390043779633319418900598372889685","269129811589551872720720144725795991054","256308953912924491983075504581509927346","159105652989072314446206601684598207667","82125783591614318933206165780858297053","80057189055825560687252162939653457202","55248886990484540171162638494490297994","144949404262521769330166495210669390996","198572797546754813388273736445289496628","167790205419003455337996815190735539437","282708474137487137801679837230717348216","295204119824879269588531715467754671632","206404320148432713791012424920486637102","69016036091865206271908473502162029880","313167286619314108878378947880341509507","21160964178637240915799560771751635494","224441840593905453430323145410795872467","69016036091865206271908473502162029880","313167286619314108878378947880341509507","21160964178637240915799560771751635494","224441840593905453430323145410795872467","155910439007339673530271406374798409661","187591891515724062520611284116091946372","328516815526922104311430180592497577987","181106000569484530473237767705205064165","140367472544979430288733962214248610248","182860258414926899715772760728157463562","2264569172956432334840905512698859986","285723915622406392473852862329221017001","143078064608005429170637684295687095030","33420259641789646995959377076889573402","191201247062667281514461108362595730705"],"threshold":0.9},"signature_version":"v1"},{"signature_type":"Line","source":"https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b","id":"CVE-2025-11429-ed387397","deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/session/SessionTimeoutValidationTest.java"},"digest":{"line_hashes":["291452417559778165910132463032273730791","187724332398706564356744562471584618004","282406326683738813391515780422729465870","39825241590660147101307069748703465974"],"threshold":0.9},"signature_version":"v1"},{"signature_type":"Line","source":"https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d","id":"CVE-2025-11429-ee37500f","deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java"},"digest":{"line_hashes":["117007691547487645160773990311266264094","22589362958445348333653881614481515735","235809547699882741802167598660849107190","258222390043779633319418900598372889685","269129811589551872720720144725795991054","256308953912924491983075504581509927346","159105652989072314446206601684598207667","82125783591614318933206165780858297053","80057189055825560687252162939653457202","55248886990484540171162638494490297994","144949404262521769330166495210669390996","198572797546754813388273736445289496628","167790205419003455337996815190735539437","282708474137487137801679837230717348216","295204119824879269588531715467754671632","206404320148432713791012424920486637102","69016036091865206271908473502162029880","313167286619314108878378947880341509507","21160964178637240915799560771751635494","224441840593905453430323145410795872467","69016036091865206271908473502162029880","313167286619314108878378947880341509507","21160964178637240915799560771751635494","224441840593905453430323145410795872467","155910439007339673530271406374798409661","187591891515724062520611284116091946372","328516815526922104311430180592497577987","181106000569484530473237767705205064165","140367472544979430288733962214248610248","182860258414926899715772760728157463562","2264569172956432334840905512698859986","285723915622406392473852862329221017001","143078064608005429170637684295687095030","33420259641789646995959377076889573402","191201247062667281514461108362595730705"],"threshold":0.9},"signature_version":"v1"},{"signature_type":"Function","source":"https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d","id":"CVE-2025-11429-ef6c704e","deprecated":false,"target":{"file":"testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java","function":"loginMissingPassword"},"digest":{"function_hash":"255908501567918932106583025363169698504","length":581},"signature_version":"v1"}],"vanir_signatures_modified":"2026-04-12T17:35:48Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11429.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}]}