CVE-2025-3985

Name of the Vulnerable Software and Affected Versions Apereo CAS version 5.2.6

Description A vulnerability was found in Apereo CAS, affecting the function ResponseEntity of the file ManageRegisteredServicesMultiActionController.java. The manipulation of the argument Query leads to inefficient regular expression complexity, allowing for a remote attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond.

Recommendations As a temporary workaround, consider restricting access to the ResponseEntity function in the ManageRegisteredServicesMultiActionController.java file until a patch is available. Avoid using the Query argument in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.