Medium severity6.5NVD Advisory· Published Nov 25, 2024· Updated May 6, 2026
CVE-2024-10270
CVE-2024-10270
Description
A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-servicesMaven | < 24.0.9 | 24.0.9 |
org.keycloak:keycloak-servicesMaven | >= 25.0.0, < 26.0.6 | 26.0.6 |
Patches
15d6c91f3309dEMBARGOED CVE-2024-10270 org.keycloak/keycloak-services: Keycloak Denial of Service (#35218)
2 files changed · +80 −18
services/src/main/java/org/keycloak/utils/SearchQueryUtils.java+68 −18 modified@@ -19,36 +19,86 @@ import java.util.HashMap; import java.util.Map; -import java.util.regex.Matcher; -import java.util.regex.Pattern; /** * @author Vaclav Muzikar <vmuzikar@redhat.com> */ public class SearchQueryUtils { - public static final Pattern queryPattern = Pattern.compile("\\s*(?:(?<name>[^\"][^: ]+|.)|\"(?<nameEsc>(?:\\\\.|[^\\\\\"])+)\"):(?:(?<value>[^\"][^ ]*)|\"(?<valueEsc>(?:\\\\.|[^\\\\\"])+)\")\\s*"); - public static final Pattern escapedCharsPattern = Pattern.compile("\\\\(.)"); public static Map<String, String> getFields(final String query) { - Matcher matcher = queryPattern.matcher(query); Map<String, String> ret = new HashMap<>(); - while (matcher.find()) { - String name = matcher.group("name"); - if (name == null) { - name = unescape(matcher.group("nameEsc")); + char[] chars = query.trim().toCharArray(); + for (int i = 0; i < chars.length; i++) { + boolean inQuotes = false; + boolean internal = false; + String name = ""; + while (i < chars.length && chars[i] != ':') { + if (chars[i] == '\\') { + if (chars[i+1] == '\"') { + i++; + } + else if (chars[i+1] == '\\') { + i+=2; + continue; + } + } + else if (chars[i] == '\"') { + if(!inQuotes && name.length() > 0) { + internal = true; + } + else if(internal) { + internal = false; + } + else { + inQuotes = !inQuotes; + i++; + continue; + } + } + else if(chars[i] == ' ' && !inQuotes) { + break; + } + name += chars[i]; + i++; } - - String value = matcher.group("value"); - if (value == null) { - value = unescape(matcher.group("valueEsc")); + if(i == chars.length || chars[i] == ' ') { + continue; + } + i++; + inQuotes = false; + internal = false; + String value = ""; + while (i < chars.length) { + if (chars[i] == '\\') { + if (chars[i+1] == '\"') { + i++; + } + else if (chars[i+1] == '\\') { + i+=2; + continue; + } + } + else if (chars[i] == '\"') { + if(!inQuotes && value.length() > 0) { + internal = true; + } + else if(internal) { + internal = false; + } + else { + inQuotes = !inQuotes; + i++; + continue; + } + } + else if(chars[i] == ' ' && !inQuotes) { + break; + } + value += chars[i]; + i++; } - ret.put(name, value); } return ret; } - - public static String unescape(final String escaped) { - return escapedCharsPattern.matcher(escaped).replaceAll("$1"); - } }
services/src/test/java/org/keycloak/utils/SearchQueryUtilsTest.java+12 −0 modified@@ -23,6 +23,7 @@ import java.util.Map; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; /** * @author Vaclav Muzikar <vmuzikar@redhat.com> @@ -78,4 +79,15 @@ private void testParseQuery(String query, String... expectedStr) { assertEquals(expected, actual); } + + @Test + public void testReDoS() { + long start = System.currentTimeMillis(); + int count = 50000; + for (int i = 0; i < count; i++) { + SearchQueryUtils.getFields(" ".repeat(1443) + "\n\n".repeat(1443) + 0); + } + long end = System.currentTimeMillis() - start; + System.out.println("took: " + end + " milliseconds"); + } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-wq8x-cg39-8mrrnvdADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-10270ghsaADVISORY
- access.redhat.com/errata/RHSA-2024:10175nvdWEB
- access.redhat.com/errata/RHSA-2024:10176nvdWEB
- access.redhat.com/errata/RHSA-2024:10177nvdWEB
- access.redhat.com/errata/RHSA-2024:10178nvdWEB
- access.redhat.com/security/cve/CVE-2024-10270nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/keycloak/keycloak/commit/5d6c91f3309db468b0fe4834e88c3d25649f73e4nvdWEB
- github.com/keycloak/keycloak/security/advisories/GHSA-wq8x-cg39-8mrrghsaWEB
News mentions
0No linked articles in our index yet.