CVE-2024-11734 - Keycloak Denial of Service via Malicious Security Header Injection

In early 2024, a significant vulnerability (CVE-2024-11734) was discovered in Keycloak, an open-source identity and access management solution widely used by organizations for single sign-on and identity brokering. This security flaw affects administrative users who have rights to update realm settings. By inserting newlines into the security headers configuration, an attacker can disrupt the Keycloak service, causing denial of service (DoS) conditions.

This post will explain the vulnerability in simple terms, walk you through an example exploit, and share links to official references.

What Is CVE-2024-11734?

CVE-2024-11734 is a denial of service vulnerability. It can be exploited by any Keycloak admin user who can edit realm security headers. By inserting newline characters (like \n or %d%a) into a custom security header value, the Keycloak server is tricked into trying to write to an HTTP response stream after it has already been closed. This leads to an exception on the server and the failure of the current and possibly other requests.

Impact:
- Keycloak admin users can intentionally or accidentally crash the Keycloak web server thread handling the request.

Add or update a security header value, like this

X-Frame-Options: DENY
Another-Header: value\nInjected-Header: injected

In reality, you’d normally use a value like this in the web UI

Injected-Header: injected

But if you enter something like

malicious-value
Injected-Header: broken

or, even sneakier, encode the newline as %a or %d%a if there’s any server-side decoding, you effectively end up with a security header field that, when written out by Keycloak’s response logic, causes chaos in the HTTP protocol stream.

2. Keycloak’s Faulty Processing

Keycloak’s code tries to write headers to the HTTP response object. Due to the newline injection, the web server may believe the response is already finished. When Keycloak writes again, it throws an error like:

java.lang.IllegalStateException: Cannot call sendError() after the response has been committed

or

IllegalStateException: response already closed

3. Server Disruption

Once exploited, any user trying to authenticate or interact with Keycloak in that realm may face broken responses, disrupted logins, or be blocked from services that depend on Keycloak.

Set a security header value with a newline, like

X-Test: foo
bar

Or, in JSON for an API request

{
  "headers": [
    {
      "name": "X-Test",
      "value": "foo\nbar"
    }
  ]
}

Prevention and Fix

Keycloak fixed this flaw in subsequent versions by sanitizing input for security headers and forbidding newline or non-printable characters.

- Upgrade: If you’re running Keycloak prior to the fixed version (check this advisory or Red Hat’s guide), you should upgrade as soon as possible.
- Sanitization: Never allow user or admin-supplied header values containing newlines, carriage returns, or other control characters.

References

- Keycloak Security Bulletin
- CVE-2024-11734 at NVD
- Keycloak Documentation: Security Headers
- Mitre CVE Record

Conclusion

CVE-2024-11734 is a clear reminder that user input—even from trusted admins—should always be validated. If you use Keycloak, audit your deployment and ensure you’re running the latest secure version. Don’t allow newlines or other special characters in HTTP security headers.

Timeline

Published on: 01/14/2025 09:15:19 UTC
Last modified on: 01/15/2025 05:37:36 UTC