CVE-2024-9666 in Keycloakinfo

Summary

by MITRE • 11/25/2024

A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service. The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 12/22/2025

The vulnerability in Keycloak Server represents a critical denial of service weakness that stems from inadequate validation of proxy headers within the authentication infrastructure. This flaw manifests when the server is configured to accept and process incoming proxy headers from reverse proxies, creating an attack surface where malicious actors can manipulate header values to trigger resource exhaustion. The issue specifically occurs when reverse proxies fail to properly overwrite existing headers, allowing attackers to inject non-standard values that Keycloak processes without sufficient validation mechanisms.

The technical exploitation of this vulnerability involves crafting malicious requests with specially formatted proxy headers containing obfuscated identifiers or non-IP values that bypass normal validation checks. When Keycloak encounters these unvalidated header values, it attempts to resolve them through DNS operations or other network lookups, consuming valuable IO threads and system resources. This process can be amplified by sending multiple requests with varying malformed header values, creating a cascading effect that depletes available thread pools and renders the authentication service unavailable to legitimate users.

From an operational perspective, this vulnerability directly impacts the availability and reliability of Keycloak deployments in production environments where reverse proxies are commonly used for load balancing, SSL termination, and request routing. The attack vector requires specific configuration conditions including trust in proxy headers and the absence of proper header sanitization by upstream proxies, making it particularly relevant in complex deployment scenarios involving multiple layers of networking infrastructure. Organizations using Keycloak in containerized or cloud-native environments face heightened risk due to the prevalence of reverse proxy configurations in these architectures.

The underlying flaw aligns with CWE-20, which addresses improper input validation, and represents a classic example of how insecure header processing can lead to resource exhaustion attacks. This vulnerability maps to several ATT&CK techniques including T1498 for denial of service and T1566 for social engineering through malicious network traffic manipulation. The impact extends beyond simple availability disruption to potentially affecting authentication workflows and user access to protected applications that depend on Keycloak for identity management.

Organizations should implement immediate mitigations including disabling trust in proxy headers when not explicitly required, implementing strict header validation policies, and configuring reverse proxies to properly overwrite or sanitize incoming headers before forwarding requests to Keycloak instances. Additionally, monitoring systems should be enhanced to detect unusual patterns of DNS resolution requests or thread pool exhaustion that may indicate exploitation attempts. Regular security assessments and proper configuration management practices are essential to prevent unauthorized access to vulnerable Keycloak deployments while maintaining operational integrity in distributed authentication environments.

Reservation

10/08/2024

Disclosure

11/25/2024

Moderation

accepted

CPE

ready

EPSS

0.00399

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!