Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-epcy-krft-z7d4

Summary

Keycloak does not invalidate sessions when "Remember Me" is disabled
A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.

Aliases

alias	CVE-2025-11429

alias	GHSA-64w3-5q9m-68xf

Fixed_packages

url pkg:maven/org.keycloak/keycloak-services@26.4.1

purl pkg:maven/org.keycloak/keycloak-services@26.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5vwq-aqk5-nkh9

vulnerability	VCID-7c1j-kcbb-v3f1

vulnerability	VCID-gzz6-md9v-b3em

vulnerability	VCID-m3uj-4mag-kbf2

vulnerability	VCID-qgbq-s33g-d7af

vulnerability	VCID-x4aw-v76q-vbdc

vulnerability	VCID-xd7x-aevv-cfcp

vulnerability	VCID-xfnw-15sz-zyfr

vulnerability	VCID-y1h3-yyn9-53fr

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.4.1

Affected_packages

url pkg:maven/org.keycloak/keycloak-services@26.3.0

purl pkg:maven/org.keycloak/keycloak-services@26.3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2dgp-xdrz-q7dv

vulnerability	VCID-5vwq-aqk5-nkh9

vulnerability	VCID-7c1j-kcbb-v3f1

vulnerability	VCID-8vzz-naas-a7ab

vulnerability	VCID-epcy-krft-z7d4

vulnerability	VCID-gnxr-2t9g-4ye4

vulnerability	VCID-gzz6-md9v-b3em

vulnerability	VCID-jsvn-26y8-q3ey

vulnerability	VCID-m3uj-4mag-kbf2

vulnerability	VCID-mku9-3bpp-aqbk

vulnerability	VCID-qgbq-s33g-d7af

vulnerability	VCID-tc9b-zzjt-63c7

vulnerability	VCID-x4aw-v76q-vbdc

vulnerability	VCID-xd7x-aevv-cfcp

vulnerability	VCID-xfnw-15sz-zyfr

vulnerability	VCID-y1h3-yyn9-53fr

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.3.0

References

reference_url

https://access.redhat.com/errata/RHSA-2025:22088

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-23T14:31:09Z/

url

https://access.redhat.com/errata/RHSA-2025:22088

reference_url

https://access.redhat.com/errata/RHSA-2025:22089

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-23T14:31:09Z/

url

https://access.redhat.com/errata/RHSA-2025:22089

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-11429.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-11429.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-11429

reference_id

reference_type

scores

value	0.00115
scoring_system	epss
scoring_elements	0.30097
published_at	2026-04-21T12:55:00Z

value	0.00115
scoring_system	epss
scoring_elements	0.30273
published_at	2026-04-02T12:55:00Z

value	0.00115
scoring_system	epss
scoring_elements	0.30322
published_at	2026-04-04T12:55:00Z

value	0.00115
scoring_system	epss
scoring_elements	0.30137
published_at	2026-04-07T12:55:00Z

value	0.00115
scoring_system	epss
scoring_elements	0.30197
published_at	2026-04-08T12:55:00Z

value	0.00115
scoring_system	epss
scoring_elements	0.30232
published_at	2026-04-09T12:55:00Z

value	0.00115
scoring_system	epss
scoring_elements	0.30235
published_at	2026-04-11T12:55:00Z

value	0.00115
scoring_system	epss
scoring_elements	0.30192
published_at	2026-04-12T12:55:00Z

value	0.00115
scoring_system	epss
scoring_elements	0.30145
published_at	2026-04-13T12:55:00Z

value	0.00115
scoring_system	epss
scoring_elements	0.3016
published_at	2026-04-16T12:55:00Z

value	0.00115
scoring_system	epss
scoring_elements	0.30141
published_at	2026-04-18T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-11429

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=2402148

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-23T14:31:09Z/

url

https://bugzilla.redhat.com/show_bug.cgi?id=2402148

reference_url

https://github.com/keycloak/keycloak

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak

reference_url

https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-23T14:31:09Z/

url

https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d

reference_url

https://github.com/keycloak/keycloak/commit/a752492843e21c3ab06090616692e53001864158

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak/commit/a752492843e21c3ab06090616692e53001864158

reference_url

https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-23T14:31:09Z/

url

https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b

reference_url

https://github.com/keycloak/keycloak/issues/43328

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-23T14:31:09Z/

url

https://github.com/keycloak/keycloak/issues/43328

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.2::el9
reference_id	cpe:/a:redhat:build_keycloak:26.2::el9
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.2::el9

reference_url

https://access.redhat.com/security/cve/CVE-2025-11429

reference_id

CVE-2025-11429

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-23T14:31:09Z/

url

https://access.redhat.com/security/cve/CVE-2025-11429

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-11429

reference_id

CVE-2025-11429

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-11429

reference_url

https://github.com/advisories/GHSA-64w3-5q9m-68xf

reference_id

GHSA-64w3-5q9m-68xf

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-64w3-5q9m-68xf

Weaknesses

cwe_id	613
name	Insufficient Session Expiration
description	According to WASC, Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score 4.0 - 6.9

Exploitability 0.5

Weighted_severity 6.2

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-epcy-krft-z7d4

Vulnerability Instance