ReDoS Vulnerability in Apereo CAS 5.2.6 Affects Configuration Metadata Server
CVE-2025-3986
Key Information:
Badges
What is CVE-2025-3986?
A vulnerability exists in Apereo CAS version 5.2.6 due to inefficient regular expression complexity within the cas-server-core-configuration-metadata-repository component. Attackers can manipulate the argument Name to trigger this flaw remotely, potentially leading to denial of service conditions. The issue, which has been publicly disclosed, poses a significant risk given that it can be exploited without any special permissions. The vendor was informed of this vulnerability but has not responded to the disclosure.
Affected Version(s)
CAS 5.2.6
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
