CVE-2025-3985

LOW

Apereo CAS 5.2.6 - Inefficient Regular Expression Complexity in Query Parameter

Title source: llm

Description

A vulnerability was found in Apereo CAS 5.2.6. It has been classified as problematic. This affects the function ResponseEntity of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\ManageRegisteredServicesMultiActionController.java. The manipulation of the argument Query leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.306321

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.306321

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.557110

Not Applicable exploit

https://wx.mail.qq.com/s?k=lzDuxVkSRXUZ0bwZEG

Scores

CVSS v3 2.7

EPSS 0.0050

EPSS Percentile 38.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1333 CWE-400

Status published

Products (2)

apereo/central_authentication_service 5.2.6

org.apereo.cas/cas-management-webapp-support 0Maven

Published Apr 27, 2025

Tracked Since Feb 18, 2026