VDB
CVE-2025-3986
CVE-2025-3986
PUBLISHED
CVSS 5.300000190734863 MEDIUM
A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file cas-5.2.6\core\cas-server-core-configuration-metadata-repository\src\main\java\org\apereo\cas\metadata\rest\CasConfigurationMetadataServerController.java. The manipulation of the argument Name leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
EPSS 0.08% · 23.7th percentile
Risk Scores
CVSS 4.0
5.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
EPSS Score
0.08%
23.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Maven | org.apereo.cas:cas-server-core-configuration-metadata-repository | 0, 0 |
| Apereo | CAS | 5.2.6, 5.2.6 |
| apereo | central_authentication_service | 5.2.6, 5.2.6 |
Exploit Intelligence
- CIRCL seen: CVE-2025-3986 (circl-sighting)
- CIRCL seen: CVE-2025-3986 (circl-sighting)
- CIRCL seen: CVE-2025-3986 (circl-sighting)
- CIRCL seen: CVE-2025-3986 (circl-sighting)
- VDB-306322 | Apereo CAS CasConfigurationMetadataServerController.java redos (circl)
- VDB-306322 | CTI Indicators (IOB, IOC, TTP, IOA) (circl)
- Submit #557473 | Apereo CAS v5.2.6 ReDos Denial of Service (circl)
- https://wx.mail.qq.com/s?k=rk-m8GwRMVMcOjBY1a (cve.org)
- CVE-2025-38125.yara (github-yara)
- CVE-2025-38125.yara (github-yara)
…and 64 more exploits
Timeline
- Apr 27, 2025 CVE Published
- Apr 27, 2025 PoC Published
- Apr 27, 2025 PoC Published
- Apr 28, 2025 CVE Updated
- Apr 28, 2025 EPSS Score
- Apr 28, 2025 PoC Published
- May 10, 2025 EPSS Score
- May 22, 2025 EPSS Score
- Jun 3, 2025 EPSS Score
- Jun 15, 2025 EPSS Score
- Jun 27, 2025 EPSS Score
- Jul 9, 2025 EPSS Score