CVE-2025-3985

Source
https://cve.org/CVERecord?id=CVE-2025-3985
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-3985.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-3985
Aliases
Published
2025-04-27T21:15:16.300Z
Modified
2026-04-10T05:26:50.475050Z
Severity
  • 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

A vulnerability was found in Apereo CAS 5.2.6. It has been classified as problematic. This affects the function ResponseEntity of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\ManageRegisteredServicesMultiActionController.java. The manipulation of the argument Query leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

Affected packages

Git / github.com/jasig/cas

Affected ranges

Type
GIT
Repo
https://github.com/jasig/cas
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.2.6"
        }
    ]
}

Affected versions

3.*
3.4.11-RC1
v3.*
v3.4.11
v3.5.0
v3.5.0-RC1
v3.5.0-RC2
v3.5.1-RC1
v4.*
v4.0.0
v4.0.0-RC1
v4.0.0-RC2
v4.0.0-RC3
v4.0.0-RC4
v4.1.0-RC1
v4.1.0-RC2
v5.*
v5.0.0
v5.0.0.RC1
v5.0.0.RC2
v5.0.0.RC3
v5.0.0.RC4
v5.1.0-RC1
v5.1.0-RC3
v5.1.0-RC4
v5.1.0.RC1
v5.2.0
v5.2.0-RC1
v5.2.1
v5.2.2
v5.2.3
v5.2.4
v5.2.5
v5.2.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-3985.json"