CVE-2025-3985: Apereo CAS has inefficient regular expression complexity

April 27, 2025 (updated November 6, 2025)

A vulnerability was found in Apereo CAS 5.2.6. It has been classified as problematic. This affects the function ResponseEntity of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\ManageRegisteredServicesMultiActionController.java. The manipulation of the argument Query leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

github.com/advisories/GHSA-8rx4-fxq5-vj4v
github.com/apereo/cas
nvd.nist.gov/vuln/detail/CVE-2025-3985
vuldb.com/?ctiid.306321
vuldb.com/?id.306321
vuldb.com/?submit.557110
wx.mail.qq.com/s?k=lzDuxVkSRXUZ0bwZEG

Code Behaviors & Features

Detect and mitigate CVE-2025-3985 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →