Apereo CAS Regular Expression Denial-of-Service Vulnerability

Vulnerability

A denial-of-service vulnerability has been identified in Apereo CAS version 5.2.6. The issue arises in the 'CasConfigurationMetadataServerController.java' file, where the 'name' argument is manipulated, leading to inefficient regular expression processing. This vulnerability allows for excessive CPU usage, causing availability issues. The problem can be exploited remotely, and a proof-of-concept exploit is publicly available.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing excessive CPU consumption and availability degradation.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

2.5

exploitability

6.8

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

2.5

exploitability

6.8

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apereo CAS Regular Expression Denial-of-Service Vulnerability

Vulnerability

Impact

Affected Products

Apereo CAS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating