CVE-2024-11734: 
Java vulnerability analysis and mitigation

A denial of service vulnerability (CVE-2024-11734) was discovered in Keycloak that affects administrative users with realm settings modification privileges. The vulnerability was disclosed on January 14, 2025, and affects the Keycloak server software. This security issue has been classified with a CVSS v3.1 base score of 6.5 (Medium) (NVD, Red Hat Advisory).

The vulnerability occurs when an administrative user modifies security headers by inserting newlines. This action causes the Keycloak server to attempt writing to a request that has already been terminated, resulting in request failure. The vulnerability has been assigned a CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, and high impact on availability (NVD).

When exploited, this vulnerability can cause service disruption, preventing users from accessing applications that rely on Keycloak authentication or any of the consoles provided by Keycloak itself on the affected realm. The impact is limited to availability, with no direct effect on confidentiality or integrity (Red Hat Bugzilla).

Red Hat has addressed this vulnerability in Keycloak version 26.0.8. Updates are available through security advisories RHSA-2025:0299 and RHSA-2025:0300. Users are advised to upgrade to the latest version to mitigate this security issue (Red Hat Advisory).