CVE-2025-6552
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-24

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in java-aodeng Hope-Boot 1.0.0. It has been classified as problematic. Affected is the function doLogin of the file /src/main/java/com/hope/controller/WebController.java of the component Login. The manipulation of the argument redirect_url leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-24
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-06-24
EPSS Evaluated
2026-05-05
NVD
CVE-2025-6552
EUVD
EUVD-2025-19051
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-6552 is an open redirect vulnerability in the java-aodeng Hope-Boot version 1.0.0, specifically in the doLogin function of the WebController.java file. The vulnerability arises because the application does not properly validate the redirect_url parameter, allowing attackers to craft URLs that redirect users to malicious external sites. This can be exploited remotely without authentication but requires user interaction. [1, 2]


How can this vulnerability impact me? :

This vulnerability can be exploited to redirect users to attacker-controlled malicious websites, facilitating phishing or social engineering attacks. It impacts the integrity of the application by allowing attackers to manipulate user navigation, potentially leading to credential theft or malware distribution. The exploit is easy to execute remotely and does not require authentication, increasing the risk to users. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring HTTP requests to the /doLogin and /login endpoints of the hope-boot 1.0.0 application for suspicious or unexpected redirect_url parameters that point to external or untrusted domains. You can use network traffic inspection tools or web server logs to identify such requests. For example, using command-line tools like curl or wget to test the endpoints with crafted redirect_url parameters can help verify if the application redirects without validation. A sample curl command to test might be: curl -v 'http://target-domain/doLogin?redirect_url=http://malicious-site.com'. Additionally, web application scanners that detect open redirect vulnerabilities can be used to automate detection. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting or validating the redirect_url parameter to ensure it only allows redirects to trusted internal URLs. Since no official vendor fix or patch is available, consider implementing input validation or filtering at the application or web server level to block malicious redirect URLs. Alternatively, disable or restrict access to the vulnerable endpoints (/doLogin and /login) if possible. As a longer-term solution, consider replacing the affected hope-boot 1.0.0 component with a secure alternative. Monitoring and educating users about phishing risks related to this vulnerability is also recommended. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart