CVE-2025-2559: 
Java vulnerability analysis and mitigation

A flaw was found in Keycloak affecting the JWT token authentication mechanism. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time (e.g., 24 or 48 hours), the cache can grow indefinitely, leading to an OutOfMemoryError (NVD, Red Hat CVE).

The vulnerability is tracked as CVE-2025-2559 and has been assigned a CVSS v3.1 base score of 4.9 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H. The issue stems from an unbounded caching mechanism for JWT tokens in the authentication system, where tokens are stored until their expiration without any size limitations or cleanup mechanisms (NVD).

This vulnerability could result in a denial of service condition, preventing legitimate users from accessing the system. When exploited, the unbounded cache growth leads to memory exhaustion, potentially causing the Keycloak service to become unresponsive or crash (NVD).

While specific patch information is not provided in the available sources, administrators should review and adjust JWT token expiration times to prevent excessive cache growth. Additionally, monitoring system memory usage and implementing appropriate resource limits can help mitigate the risk (Red Hat Bugzilla).