A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.
Weakness
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat build of Keycloak 24 | RedHat | rhbk/keycloak-operator-bundle:24.0.9-1 | * |
| Red Hat build of Keycloak 24 | RedHat | rhbk/keycloak-rhel9:24-18 | * |
| Red Hat build of Keycloak 24 | RedHat | rhbk/keycloak-rhel9-operator:24-18 | * |
| Red Hat build of Keycloak 24.0.9 | RedHat | org.keycloak/keycloak-services | * |
| Red Hat build of Keycloak 26.0 | RedHat | rhbk/keycloak-operator-bundle:26.0.6-2 | * |
| Red Hat build of Keycloak 26.0 | RedHat | rhbk/keycloak-rhel9:26.0-5 | * |
| Red Hat build of Keycloak 26.0 | RedHat | rhbk/keycloak-rhel9-operator:26.0-6 | * |
| Red Hat build of Keycloak 26.0.6 | RedHat | org.keycloak/keycloak-services | * |
Extended Description
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.