CVE-2025-3986

MEDIUM

Apereo CAS 5.2.6 - Inefficient Regular Expression Complexity

Title source: llm

Description

A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file cas-5.2.6\core\cas-server-core-configuration-metadata-repository\src\main\java\org\apereo\cas\metadata\rest\CasConfigurationMetadataServerController.java. The manipulation of the argument Name leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.306322

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.306322

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.557473

Not Applicable exploit

https://wx.mail.qq.com/s?k=rk-m8GwRMVMcOjBY1a

Scores

CVSS v3 4.3

EPSS 0.0050

EPSS Percentile 38.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1333 CWE-400

Status published

Products (2)

apereo/central_authentication_service 5.2.6

org.apereo.cas/cas-server-core-configuration-metadata-repository 0Maven

Published Apr 27, 2025

Tracked Since Feb 18, 2026