CVE-2025-3501: 
Java vulnerability analysis and mitigation

A security vulnerability was discovered in Keycloak's certificate verification process, identified as CVE-2025-3501. The vulnerability was discovered and disclosed on April 10, 2025, affecting Keycloak's trust store certificate verification mechanism. The flaw occurs when the verification policy is set to 'ALL', which unintentionally causes the system to skip the trust store certificate verification process (Red Hat CVE, NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 8.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N. It is categorized under CWE-297 (Improper Validation of Certificate with Host Mismatch). When the verification policy is set to 'ALL', not only is the hostname check bypassed, but the trust store certificate verification process is also inadvertently skipped (Wiz Report, Red Hat CVE).

The vulnerability could potentially allow attackers to bypass certificate validation mechanisms, leading to security implications in certificate-based authentication and verification processes. The CVSS scoring indicates high confidentiality impact and low integrity impact, with no effect on availability (NVD, Wiz Report).

Red Hat has addressed this vulnerability by releasing security updates RHSA-2025:4335 and RHSA-2025:4336, which include fixes for Keycloak versions 26.0.11. Users are strongly advised to update to the patched versions to mitigate the vulnerability (Red Hat Advisory, Red Hat Advisory).