CVE-2025-6517 MEDIUM

CVE-2025-6517: Dromara MaxKey Meta URL SAML20DetailsController.java add server-side request forgery

Vendor Dromara

Product MaxKey

Weakness CWE-918 · SSRF

Published June 23, 2025

Last update June 24, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A vulnerability was found in Dromara MaxKey up to 4.1.7 and classified as critical. This issue affects the function Add of the file maxkey-webs\maxkey-web-mgt\src\main\java\org\dromara\maxkey\web\apps\contorller\SAML20DetailsController.java of the component Meta URL Handler. The manipulation of the argument post leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

Disclosure timeline

June 23, 2025 CVE published

June 24, 2025 Record updated

Identifiers

CVE CVE-2025-6517

CWE CWE-918

CVSS 5.3 / MEDIUM

Affected versions

Vendor Dromara

Product MaxKey

Affected 4.1.0

Vendor Dromara

Product MaxKey

Affected 4.1.1

Vendor Dromara

Product MaxKey

Affected 4.1.2

Vendor Dromara

Product MaxKey

Affected 4.1.3

Vendor Dromara

Product MaxKey

Affected 4.1.4

Vendor Dromara

Product MaxKey

Affected 4.1.5

Vendor Dromara

Product MaxKey

Affected 4.1.6

Vendor Dromara

Product MaxKey

Affected 4.1.7