Apereo CAS ResponseEntity redos
Description
A vulnerability was found in Apereo CAS 5.2.6. It has been classified as problematic. This affects the function ResponseEntity of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\ManageRegisteredServicesMultiActionController.java. The manipulation of the argument Query leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2025-3985 describes a problematic inefficient regular expression complexity vulnerability in Apereo CAS 5.2.6's management web app, exploitable remotely via a crafted Query argument.
Vulnerability
Analysis
CVE-2025-3985 is a vulnerability found in Apereo CAS version 5.2.6, specifically within the management web application component. The issue resides in the ManageRegisteredServicesMultiActionController.java file, in the function ResponseEntity. The vulnerability is classified as problematic due to inefficient regular expression complexity, which arises from the manipulation of the Query argument [1]. This flaw can lead to a regular expression denial of service (ReDoS) condition.
Exploitation
The attack can be initiated remotely without requiring authentication [1]. An attacker can craft a malicious input to the Query argument, causing the regular expression engine to consume excessive CPU resources. The exploit has been publicly disclosed, increasing the likelihood of active exploitation attempts [1].
Impact
Successful exploitation of this vulnerability could allow an attacker to cause a denial of service (DoS) condition against the CAS management web application, potentially affecting availability for legitimate users. The impact is limited to the management interface and does not appear to compromise other CAS services or data confidentiality [1].
Mitigation
As of the latest disclosure, the vendor (Apereo) was contacted but did not respond, and no official patch or workaround has been released for version 5.2.6 [1][2]. Given that version 5.2.6 is an older release, administrators should consider upgrading to a supported version of Apereo CAS and apply any security updates that may address this class of issue [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apereo.cas:cas-management-webapp-supportMaven | <= 5.2.6 | — |
Affected products
2- Apereo/CASv5Range: 5.2.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- wx.mail.qq.com/sghsaexploitWEB
- github.com/advisories/GHSA-8rx4-fxq5-vj4vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-3985ghsaADVISORY
- vuldb.comghsathird-party-advisoryWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.