CVE-2025-6517 – This critical Server-Side Request Forgery (SSRF... (How to Fix)

📋 TL;DR

This critical Server-Side Request Forgery (SSRF) vulnerability in Dromara MaxKey allows attackers to manipulate the Meta URL Handler to make unauthorized requests from the server. Attackers can potentially access internal systems, exfiltrate data, or perform other malicious actions. All MaxKey deployments up to version 4.1.7 are affected.

💻 Affected Systems

Products:

Dromara MaxKey

Versions: Up to and including 4.1.7

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with the vulnerable component enabled are affected. The Meta URL Handler is part of the SAML20DetailsController.

📦 What is this software?

Maxkey by Maxkey

View all CVEs affecting Maxkey →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, exfiltrate sensitive data, pivot to internal networks, or perform denial-of-service attacks against internal systems.

🟠

Likely Case

Attackers will scan for and exploit this vulnerability to access internal APIs, cloud metadata services, or other internal resources accessible from the MaxKey server.

🟢

If Mitigated

With proper network segmentation and egress filtering, impact is limited to what the server can access within its allowed network boundaries.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available in GitHub repositories. Remote exploitation is possible without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

1. Monitor MaxKey GitHub repository for security updates
2. Apply any available patches for versions above 4.1.7
3. Restart MaxKey service after patching

🔧 Temporary Workarounds

Network Segmentation

all

Restrict outbound network access from MaxKey servers to only required destinations

Input Validation

all

Implement strict URL validation for the Meta URL Handler parameter

🧯 If You Can't Patch

Implement strict egress filtering to limit what the MaxKey server can access
Deploy a WAF with SSRF protection rules in front of MaxKey

🔍 How to Verify

Check if Vulnerable:

Check MaxKey version. If version is 4.1.7 or lower, the system is vulnerable.

Check Version:

Check MaxKey application properties or deployment manifest for version information

Verify Fix Applied:

Verify MaxKey version is above 4.1.7 and test the Meta URL Handler endpoint with SSRF payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from MaxKey server
Requests to internal IP addresses or cloud metadata services

Network Indicators:

Unexpected outbound connections from MaxKey server to internal systems

SIEM Query:

source="maxkey" AND (url="169.254.169.254" OR url="metadata.google.internal" OR url="169.254.170.2")

📊 Metadata

CVE ID: CVE-2025-6517

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-918

EPSS Score: 0.08% exploit probability (24.1th percentile)

Published: June 23, 2025

Last Updated: September 30, 2025

🔗 References

https://github.com/honorseclab/vulns/blob/main/dromara_MaxKey/SSRF.md Exploit,Third Party Advisory
https://github.com/honorseclab/vulns/blob/main/dromara_MaxKey/SSRF.md#vulnerability-verification Exploit,Third Party Advisory
https://vuldb.com/?ctiid.313637 Permissions Required,VDB Entry
https://vuldb.com/?id.313637 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.593111 Third Party Advisory,VDB Entry
https://github.com/honorseclab/vulns/blob/main/dromara_MaxKey/SSRF.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6517, you might also want to check these: