Skip to main content

CVE-2025-6517: Server-Side Request Forgery in Dromara MaxKey

Medium
VulnerabilityCVE-2025-6517cvecve-2025-6517
Published: Mon Jun 23 2025 (06/23/2025, 18:00:15 UTC)
Source: CVE Database V5
Vendor/Project: Dromara
Product: MaxKey

Description

A vulnerability was found in Dromara MaxKey up to 4.1.7 and classified as critical. This issue affects the function Add of the file maxkey-webs\maxkey-web-mgt\src\main\java\org\dromara\maxkey\web\apps\contorller\SAML20DetailsController.java of the component Meta URL Handler. The manipulation of the argument post leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI-Powered Analysis

AILast updated: 06/24/2025, 13:55:11 UTC

Technical Analysis

CVE-2025-6517 is a Server-Side Request Forgery (SSRF) vulnerability identified in Dromara MaxKey versions up to 4.1.7. The flaw exists in the Add function within the SAML20DetailsController.java file, specifically in the Meta URL Handler component. The vulnerability arises from improper validation and sanitization of the 'post' argument, which an attacker can manipulate to coerce the server into making unauthorized HTTP requests to arbitrary internal or external resources. This SSRF can be triggered remotely without requiring user interaction, and only requires low privileges (PR:L) on the system. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector (AV:N), low attack complexity (AC:L), no user interaction (UI:N), and limited impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The vulnerability does not require authentication (AT:N) but does require some privileges, indicating that an attacker with limited access could exploit it. The vendor has not responded to early disclosure attempts, and no patches or mitigations have been officially released. Although no known exploits are currently active in the wild, the public disclosure and availability of technical details increase the risk of exploitation. SSRF vulnerabilities can be leveraged to access internal services, bypass firewalls, or perform reconnaissance within protected networks, potentially leading to further compromise depending on the internal network architecture and services exposed internally. MaxKey is an open-source identity and access management (IAM) solution, often deployed in enterprise environments to manage authentication and authorization, making this vulnerability particularly relevant for organizations relying on MaxKey for secure access control.

Potential Impact

For European organizations using Dromara MaxKey, this SSRF vulnerability poses a moderate risk. Exploitation could allow attackers to access internal services that are otherwise inaccessible externally, potentially exposing sensitive data or enabling lateral movement within the network. Given MaxKey's role in identity and access management, compromise could undermine authentication mechanisms, leading to unauthorized access or privilege escalation. The medium CVSS score reflects limited direct impact on confidentiality, integrity, and availability, but the indirect consequences could be significant if internal services contain sensitive information or critical infrastructure components. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, may face increased risk due to potential exposure of personal or classified data. The lack of vendor response and patches increases the urgency for organizations to implement mitigations. The vulnerability's remote exploitability without user interaction further elevates the threat, especially in environments where MaxKey is exposed to untrusted networks or users with low privileges.

Mitigation Recommendations

1. Immediate mitigation should include restricting network access to the MaxKey management interface to trusted IP addresses only, minimizing exposure to untrusted networks. 2. Implement strict input validation and sanitization at the application or web server level to block malicious payloads targeting the 'post' parameter. 3. Employ web application firewalls (WAFs) with custom rules to detect and block SSRF attack patterns targeting MaxKey endpoints. 4. Monitor outbound traffic from servers hosting MaxKey for unusual or unauthorized requests to internal or external resources, enabling early detection of exploitation attempts. 5. If feasible, isolate MaxKey servers within segmented network zones with limited access to internal services to reduce potential SSRF impact. 6. Engage in active threat hunting and log analysis focusing on MaxKey logs and network traffic to identify potential exploitation attempts. 7. Stay alert for vendor updates or community patches and plan for prompt application once available. 8. Consider deploying runtime application self-protection (RASP) tools that can detect and block SSRF attempts dynamically. 9. Review and minimize privileges assigned to users who can access the vulnerable function to reduce exploitation risk. These measures go beyond generic advice by focusing on network segmentation, traffic monitoring, and proactive detection tailored to the MaxKey environment.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-06-23T12:21:44.852Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 685aaab34dc24046c1dc83cd

Added to database: 6/24/2025, 1:40:03 PM

Last enriched: 6/24/2025, 1:55:11 PM

Last updated: 8/13/2025, 6:41:23 AM

Views: 30

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats