Apereo CAS CasConfigurationMetadataServerController.java redos
Description
A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file cas-5.2.6\core\cas-server-core-configuration-metadata-repository\src\main\java\org\apereo\cas\metadata\rest\CasConfigurationMetadataServerController.java. The manipulation of the argument Name leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apereo CAS 5.2.6 contains an inefficient regular expression complexity vulnerability in a REST controller, enabling remote denial of service.
Analysis
A vulnerability classified as problematic exists in Apereo CAS version 5.2.6, specifically in the file CasConfigurationMetadataServerController.java within the core module. The root cause is the manipulation of the argument Name, which leads to inefficient regular expression complexity (ReDoS). This type of flaw occurs when a crafted input causes the regular expression engine to backtrack excessively, consuming significant CPU time and potentially stalling the server. [1]
Exploitation
The attack can be initiated remotely without authentication prerequisites, as the affected controller endpoint is accessible over the network. An attacker only needs to send a specifically crafted request to the vulnerable endpoint, providing a payload that triggers the inefficient regex pattern. The exploit has been publicly disclosed, increasing the risk of active exploitation. [1]
Impact
Successful exploitation allows an attacker to cause a denial of service (DoS) condition by exhausting server resources. This can lead to legitimate users being unable to access CAS services, affecting authentication and single sign-on operations for the entire deployment. The impact is limited to availability, as the vulnerability is categorized as 'problematic' and does not lead to data leakage or code execution. [1]
Mitigation
As of the publication date, the vendor (Apereo) has not responded to early disclosure and no official patch or workaround has been provided. Users are advised to monitor the official CAS repository [2] for any future fixes. Upgrade to a newer version of CAS, if available, or implement web application firewall (WAF) rules to filter malicious inputs targeting this endpoint.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apereo.cas:cas-server-core-configuration-metadata-repositoryMaven | <= 5.2.6 | — |
Affected products
2- Apereo/CASv5Range: 5.2.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- wx.mail.qq.com/sghsaexploitWEB
- github.com/advisories/GHSA-mvwq-hcrj-f5x9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-3986ghsaADVISORY
- vuldb.comghsathird-party-advisoryWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.