Mercator CVE Configuration Vulnerable to Server-Side Request Forgery (SSRF)

Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, a Server-Side Request Forgery (SSRF) vulnerability exists in Mercator's CVE configuration panel (/admin/config/parameters). The testProvider() method in ConfigurationController passes user-supplied input directly to curl_init() without validating the scheme, hostname, or destination IP address. An authenticated user with the configure permission can force the Mercator server to issue arbitrary outbound network requests. The suffix /api/dbInfo appended to the URL can be bypassed by injecting a # fragment character (e.g. http://TARGET/PATH#), allowing full control over the target URL. No scheme whitelist, host whitelist, or private/loopback IP block is applied. The telnet:// scheme can be used for internal port scanning; the gopher:// scheme enables interaction with unauthenticated internal services (Redis, Memcached), potentially leading to Remote Code Execution under specific deployment conditions. Version 2025.05.19 patches the issue.