VYPR
Get started
← All advisories
High severity8.2NVD Advisory· Published Apr 29, 2025· Updated Apr 15, 2026

CVE-2025-3501

CVE-2025-3501

Description

A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.keycloak:keycloak-servicesMaven
< 26.2.226.2.2

Patches

2
99ca24c83272

fix: remove ANY mode modification of truststores

https://github.com/keycloak/keycloakSteve HawkinsApr 14, 2025via ghsa
commit
21 files changed · +60 66
  • docs/guides/server/keycloak-truststore.adoc+1 1 modified
    @@ -29,7 +29,7 @@ It is still possible to directly set your own `javax.net.ssl` truststore System
 You may refine how hostnames are verified by TLS connections with the `tls-hostname-verifier` property.
 
 * `DEFAULT` (the default) allows wildcards in subdomain names (e.g. *.foo.com) to match names with the same number of levels (e.g. a.foo.com, but not a.b.foo.com) - with rules and exclusions for public suffixes based upon https://publicsuffix.org/list/
-* `ANY` means that the hostname is not verified.
+* `ANY` means that the hostname is not verified - this mode should not be used in production.
 * `WILDCARD` (deprecated) allows wildcards in subdomain names (e.g. *.foo.com) to match anything, including multiple levels (e.g. a.b.foo.com). Use DEFAULT instead.
 * `STRICT` (deprecated) allows wildcards in subdomain names (e.g. *.foo.com) to match names with the same number of levels (e.g. a.foo.com, but not a.b.foo.com) - with some limited exclusions. Use DEFAULT instead.
 +
  • quarkus/config-api/src/main/java/org/keycloak/config/TruststoreOptions.java+1 1 modified
    @@ -13,7 +13,7 @@ public class TruststoreOptions {
 
     public static final Option<HostnameVerificationPolicy> HOSTNAME_VERIFICATION_POLICY = new OptionBuilder<>("tls-hostname-verifier", HostnameVerificationPolicy.class)
             .category(OptionCategory.TRUSTSTORE)
-            .description("The TLS hostname verification policy for out-going HTTPS and SMTP requests.")
+            .description("The TLS hostname verification policy for out-going HTTPS and SMTP requests. ANY should not be used in production.")
             .defaultValue(HostnameVerificationPolicy.DEFAULT)
             .deprecatedValues("STRICT and WILDCARD have been deprecated, use DEFAULT instead.", HostnameVerificationPolicy.STRICT, HostnameVerificationPolicy.WILDCARD)
             .build();
  • quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBootstrapAdminService.approved.txt+2 2 modified
    @@ -172,8 +172,8 @@ Truststore:
 
 --tls-hostname-verifier <tls-hostname-verifier>
                      The TLS hostname verification policy for out-going HTTPS and SMTP requests.
-                       Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated),
-                       DEFAULT. Default: DEFAULT.
+                       ANY should not be used in production. Possible values are: ANY, WILDCARD
+                       (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT.
 --truststore-paths <truststore-paths>
                      List of pkcs12 (p12, pfx, or pkcs12 file extensions), PEM files, or
                        directories containing those files that will be used as a system truststore.
\ No newline at end of file
  • quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBootstrapAdminUser.approved.txt+2 2 modified
    @@ -174,8 +174,8 @@ Truststore:
 
 --tls-hostname-verifier <tls-hostname-verifier>
                      The TLS hostname verification policy for out-going HTTPS and SMTP requests.
-                       Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated),
-                       DEFAULT. Default: DEFAULT.
+                       ANY should not be used in production. Possible values are: ANY, WILDCARD
+                       (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT.
 --truststore-paths <truststore-paths>
                      List of pkcs12 (p12, pfx, or pkcs12 file extensions), PEM files, or
                        directories containing those files that will be used as a system truststore.
\ No newline at end of file
  • quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelpAll.approved.txt+2 2 modified
    @@ -285,8 +285,8 @@ Truststore:
 
 --tls-hostname-verifier <tls-hostname-verifier>
                      The TLS hostname verification policy for out-going HTTPS and SMTP requests.
-                       Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated),
-                       DEFAULT. Default: DEFAULT.
+                       ANY should not be used in production. Possible values are: ANY, WILDCARD
+                       (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT.
 --truststore-paths <truststore-paths>
                      List of pkcs12 (p12, pfx, or pkcs12 file extensions), PEM files, or
                        directories containing those files that will be used as a system truststore.
  • quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelp.approved.txt+2 2 modified
    @@ -167,8 +167,8 @@ Truststore:
 
 --tls-hostname-verifier <tls-hostname-verifier>
                      The TLS hostname verification policy for out-going HTTPS and SMTP requests.
-                       Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated),
-                       DEFAULT. Default: DEFAULT.
+                       ANY should not be used in production. Possible values are: ANY, WILDCARD
+                       (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT.
 --truststore-paths <truststore-paths>
                      List of pkcs12 (p12, pfx, or pkcs12 file extensions), PEM files, or
                        directories containing those files that will be used as a system truststore.
  • quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelpAll.approved.txt+2 2 modified
    @@ -285,8 +285,8 @@ Truststore:
 
 --tls-hostname-verifier <tls-hostname-verifier>
                      The TLS hostname verification policy for out-going HTTPS and SMTP requests.
-                       Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated),
-                       DEFAULT. Default: DEFAULT.
+                       ANY should not be used in production. Possible values are: ANY, WILDCARD
+                       (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT.
 --truststore-paths <truststore-paths>
                      List of pkcs12 (p12, pfx, or pkcs12 file extensions), PEM files, or
                        directories containing those files that will be used as a system truststore.
  • quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelp.approved.txt+2 2 modified
    @@ -167,8 +167,8 @@ Truststore:
 
 --tls-hostname-verifier <tls-hostname-verifier>
                      The TLS hostname verification policy for out-going HTTPS and SMTP requests.
-                       Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated),
-                       DEFAULT. Default: DEFAULT.
+                       ANY should not be used in production. Possible values are: ANY, WILDCARD
+                       (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT.
 --truststore-paths <truststore-paths>
                      List of pkcs12 (p12, pfx, or pkcs12 file extensions), PEM files, or
                        directories containing those files that will be used as a system truststore.
  • quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt+2 2 modified
    @@ -500,8 +500,8 @@ Truststore:
 
 --tls-hostname-verifier <tls-hostname-verifier>
                      The TLS hostname verification policy for out-going HTTPS and SMTP requests.
-                       Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated),
-                       DEFAULT. Default: DEFAULT.
+                       ANY should not be used in production. Possible values are: ANY, WILDCARD
+                       (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT.
 --truststore-paths <truststore-paths>
                      List of pkcs12 (p12, pfx, or pkcs12 file extensions), PEM files, or
                        directories containing those files that will be used as a system truststore.
  • quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt+2 2 modified
    @@ -322,8 +322,8 @@ Truststore:
 
 --tls-hostname-verifier <tls-hostname-verifier>
                      The TLS hostname verification policy for out-going HTTPS and SMTP requests.
-                       Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated),
-                       DEFAULT. Default: DEFAULT.
+                       ANY should not be used in production. Possible values are: ANY, WILDCARD
+                       (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT.
 --truststore-paths <truststore-paths>
                      List of pkcs12 (p12, pfx, or pkcs12 file extensions), PEM files, or
                        directories containing those files that will be used as a system truststore.
  • quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt+2 2 modified
    @@ -501,8 +501,8 @@ Truststore:
 
 --tls-hostname-verifier <tls-hostname-verifier>
                      The TLS hostname verification policy for out-going HTTPS and SMTP requests.
-                       Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated),
-                       DEFAULT. Default: DEFAULT.
+                       ANY should not be used in production. Possible values are: ANY, WILDCARD
+                       (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT.
 --truststore-paths <truststore-paths>
                      List of pkcs12 (p12, pfx, or pkcs12 file extensions), PEM files, or
                        directories containing those files that will be used as a system truststore.
  • quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt+2 2 modified
    @@ -354,8 +354,8 @@ Truststore:
 
 --tls-hostname-verifier <tls-hostname-verifier>
                      The TLS hostname verification policy for out-going HTTPS and SMTP requests.
-                       Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated),
-                       DEFAULT. Default: DEFAULT.
+                       ANY should not be used in production. Possible values are: ANY, WILDCARD
+                       (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT.
 --truststore-paths <truststore-paths>
                      List of pkcs12 (p12, pfx, or pkcs12 file extensions), PEM files, or
                        directories containing those files that will be used as a system truststore.
  • quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt+2 2 modified
    @@ -436,8 +436,8 @@ Truststore:
 
 --tls-hostname-verifier <tls-hostname-verifier>
                      The TLS hostname verification policy for out-going HTTPS and SMTP requests.
-                       Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated),
-                       DEFAULT. Default: DEFAULT.
+                       ANY should not be used in production. Possible values are: ANY, WILDCARD
+                       (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT.
 --truststore-paths <truststore-paths>
                      List of pkcs12 (p12, pfx, or pkcs12 file extensions), PEM files, or
                        directories containing those files that will be used as a system truststore.
  • quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt+2 2 modified
    @@ -297,8 +297,8 @@ Truststore:
 
 --tls-hostname-verifier <tls-hostname-verifier>
                      The TLS hostname verification policy for out-going HTTPS and SMTP requests.
-                       Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated),
-                       DEFAULT. Default: DEFAULT.
+                       ANY should not be used in production. Possible values are: ANY, WILDCARD
+                       (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT.
 --truststore-paths <truststore-paths>
                      List of pkcs12 (p12, pfx, or pkcs12 file extensions), PEM files, or
                        directories containing those files that will be used as a system truststore.
  • quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityCheckHelpAll.approved.txt+2 2 modified
    @@ -500,8 +500,8 @@ Truststore:
 
 --tls-hostname-verifier <tls-hostname-verifier>
                      The TLS hostname verification policy for out-going HTTPS and SMTP requests.
-                       Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated),
-                       DEFAULT. Default: DEFAULT.
+                       ANY should not be used in production. Possible values are: ANY, WILDCARD
+                       (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT.
 --truststore-paths <truststore-paths>
                      List of pkcs12 (p12, pfx, or pkcs12 file extensions), PEM files, or
                        directories containing those files that will be used as a system truststore.
  • quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityCheckHelp.approved.txt+2 2 modified
    @@ -353,8 +353,8 @@ Truststore:
 
 --tls-hostname-verifier <tls-hostname-verifier>
                      The TLS hostname verification policy for out-going HTTPS and SMTP requests.
-                       Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated),
-                       DEFAULT. Default: DEFAULT.
+                       ANY should not be used in production. Possible values are: ANY, WILDCARD
+                       (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT.
 --truststore-paths <truststore-paths>
                      List of pkcs12 (p12, pfx, or pkcs12 file extensions), PEM files, or
                        directories containing those files that will be used as a system truststore.
  • quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityMetadataHelpAll.approved.txt+2 2 modified
    @@ -498,8 +498,8 @@ Truststore:
 
 --tls-hostname-verifier <tls-hostname-verifier>
                      The TLS hostname verification policy for out-going HTTPS and SMTP requests.
-                       Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated),
-                       DEFAULT. Default: DEFAULT.
+                       ANY should not be used in production. Possible values are: ANY, WILDCARD
+                       (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT.
 --truststore-paths <truststore-paths>
                      List of pkcs12 (p12, pfx, or pkcs12 file extensions), PEM files, or
                        directories containing those files that will be used as a system truststore.
  • quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityMetadataHelp.approved.txt+2 2 modified
    @@ -351,8 +351,8 @@ Truststore:
 
 --tls-hostname-verifier <tls-hostname-verifier>
                      The TLS hostname verification policy for out-going HTTPS and SMTP requests.
-                       Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated),
-                       DEFAULT. Default: DEFAULT.
+                       ANY should not be used in production. Possible values are: ANY, WILDCARD
+                       (deprecated), STRICT (deprecated), DEFAULT. Default: DEFAULT.
 --truststore-paths <truststore-paths>
                      List of pkcs12 (p12, pfx, or pkcs12 file extensions), PEM files, or
                        directories containing those files that will be used as a system truststore.
  • services/src/main/java/org/keycloak/truststore/JSSETruststoreConfigurator.java+3 22 modified
    @@ -17,15 +17,12 @@
 
 package org.keycloak.truststore;
 
-import org.keycloak.common.enums.HostnameVerificationPolicy;
-import org.keycloak.models.KeycloakSession;
-import org.keycloak.models.KeycloakSessionFactory;
-
-import java.security.cert.X509Certificate;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
-import javax.net.ssl.X509TrustManager;
+
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakSessionFactory;
 
 /**
  * @author <a href="mailto:mstrukel@redhat.com">Marko Strukelj</a>
@@ -76,22 +73,6 @@ public TrustManager[] getTrustManagers() {
             return null;
         }
 
-        if (getProvider().getPolicy() == HostnameVerificationPolicy.ANY) {
-            return new TrustManager[] {
-                    new X509TrustManager() {
-                        public X509Certificate[] getAcceptedIssuers() {
-                            return new X509Certificate[0];
-                        }
-
-                        public void checkClientTrusted(X509Certificate[] certs, String authType) {
-                        }
-
-                        public void checkServerTrusted(X509Certificate[] certs, String authType) {
-                        }
-                    }
-            };
-        }
-
         if (tm == null) {
             synchronized (this) {
                 if (tm == null) {
  • testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/ssl/TrustStoreEmailTest.java+23 10 modified
    @@ -18,8 +18,10 @@
 
 import org.jboss.arquillian.graphene.page.Page;
 import org.junit.After;
+import org.junit.FixMethodOrder;
 import org.junit.Rule;
 import org.junit.Test;
+import org.junit.runners.MethodSorters;
 import org.keycloak.admin.client.resource.UserResource;
 import org.keycloak.common.enums.HostnameVerificationPolicy;
 import org.keycloak.events.Details;
@@ -50,6 +52,7 @@
  *
  * @author fkiss
  */
+@FixMethodOrder(MethodSorters.NAME_ASCENDING)
 public class TrustStoreEmailTest extends AbstractTestRealmKeycloakTest {
 
     @Page
@@ -149,12 +152,7 @@ public void verifyEmailWithSslEnabled(Boolean opportunistic) {
     }
 
     @Test
-    public void verifyEmailWithSslEnabled() {
-        verifyEmailWithSslEnabled(false);
-    }
-
-    @Test
-    public void verifyEmailWithSslWrongCertificate() throws Exception {
+    public void test01VerifyEmailWithSslWrongCertificate() throws Exception {
         UserRepresentation user = ApiUtil.findUserByUsername(testRealm(), "test-user@localhost");
 
         SslMailServer.startWithSsl(this.getClass().getClassLoader().getResource(SslMailServer.INVALID_KEY).getFile());
@@ -179,7 +177,17 @@ public void verifyEmailWithSslWrongCertificate() throws Exception {
     }
 
     @Test
-    public void verifyEmailWithSslWrongHostname() throws Exception {
+    public void test02VerifyEmailWithSslWrongCertificateAndAnyHostnamePolicy() throws Exception {
+        testingClient.testing().modifyTruststoreSpiHostnamePolicy(HostnameVerificationPolicy.ANY);
+        try {
+            test01VerifyEmailWithSslWrongCertificate();
+        } finally {
+            testingClient.testing().reenableTruststoreSpi();
+        }
+    }
+
+    @Test
+    public void test03erifyEmailWithSslWrongHostname() throws Exception {
         UserRepresentation user = ApiUtil.findUserByUsername(testRealm(), "test-user@localhost");
 
         try (RealmAttributeUpdater updater = new RealmAttributeUpdater(testRealm())
@@ -208,19 +216,24 @@ public void verifyEmailWithSslWrongHostname() throws Exception {
     }
 
     @Test
-    public void verifyEmailWithSslWrongHostnameButAnyHostnamePolicy() throws Exception {
+    public void test04VerifyEmailWithSslEnabled() {
+        verifyEmailWithSslEnabled(false);
+    }
+
+    @Test
+    public void test05VerifyEmailWithSslWrongHostnameButAnyHostnamePolicy() throws Exception {
         testingClient.testing().modifyTruststoreSpiHostnamePolicy(HostnameVerificationPolicy.ANY);
         try (RealmAttributeUpdater updater = new RealmAttributeUpdater(testRealm())
                 .setSmtpServer("host", "localhost.localdomain")
                 .update()) {
-            verifyEmailWithSslEnabled();
+            test04VerifyEmailWithSslEnabled();
         } finally {
             testingClient.testing().reenableTruststoreSpi();
         }
     }
 
     @Test
-    public void verifyEmailOpportunisticEncryptionWithAnyHostnamePolicy() throws Exception {
+    public void test06VerifyEmailOpportunisticEncryptionWithAnyHostnamePolicy() throws Exception {
         testingClient.testing().modifyTruststoreSpiHostnamePolicy(HostnameVerificationPolicy.ANY);
         try (RealmAttributeUpdater updater = new RealmAttributeUpdater(testRealm())
                 .setSmtpServer("host", "localhost.localdomain")
  • testsuite/integration-arquillian/tests/base/src/test/resources/keystore/email_invalid.jks+0 0 modified
faa1c194f316
https://github.com/keycloak/keycloakvia osv
PR #39366

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

12

News mentions

0

No linked articles in our index yet.