CVE-2025-6517 – Dromara MaxKey Meta URL SAML20DetailsController.java add server-side request forgery

https://notcve.org/view.php?id=CVE-2025-6517

23 Jun 2025 — A vulnerability was found in Dromara MaxKey up to 4.1.7 and classified as critical. This issue affects the function Add of the file maxkey-webs\maxkey-web-mgt\src\main\java\org\dromara\maxkey\web\apps\contorller\SAML20DetailsController.java of the component Meta URL Handler. The manipulation of the argument post leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/honorseclab/vulns/blob/main/dromara_MaxKey/SSRF.md • CWE-918: Server-Side Request Forgery (SSRF) •