CVE-2025-3986
published 2025-04-27CVE-2025-3986: A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.52%
40.0th percentile
A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file cas-5.2.6\core\cas-server-core-configuration-metadata-repository\src\main\java\org\apereo\cas\metadata\rest\CasConfigurationMetadataServerController.java. The manipulation of the argument Name leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apereo | cas | — | — |
| apereo | central_authentication_service | — | — |
| axios | axios | >= 0 < 0.31.0 | 0.31.0 |
| axios | axios | >= 1.0.0 < 1.15.0 | 1.15.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
vendor_redhat6.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF
ghsa·2026-04-09
CVE-2025-62718 [CRITICAL] CWE-441 Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF
Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF
Axios does not correctly handle hostname normalization when checking `NO_PROXY` rules.
Requests to loopback addresses like `localhost.` (with a trailing dot) or `[::1]` (IPv6 literal) skip `NO_PROXY` matching and go through the configured proxy.
This goes against what developers expect and lets attackers force requests through a proxy, even if `NO_PROXY` is set up to protect loopback or internal services.
According to [RFC 1034 §3.1](https://datatracker.ietf.org/doc/html/rfc1034#section-3.1) and [RFC 3986 §3.2.2](https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2), a hostname can have a trailing dot to show it is a fully qualified domain name (FQDN). At the DNS level, `localhost.` is the same as `localhost`.
Howev
OSV
Insufficient validation of bracketed IPv6 hostnames in net/url
osv·2025-10-29
CVE-2025-47912 Insufficient validation of bracketed IPv6 hostnames in net/url
Insufficient validation of bracketed IPv6 hostnames in net/url
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.
GHSA
Apereo CAS has inefficient regular expression complexity
ghsa·2025-04-27
CVE-2025-3986 [MEDIUM] CWE-400 Apereo CAS has inefficient regular expression complexity
Apereo CAS has inefficient regular expression complexity
A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file cas-5.2.6\core\cas-server-core-configuration-metadata-repository\src\main\java\org\apereo\cas\metadata\rest\CasConfigurationMetadataServerController.java. The manipulation of the argument Name leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
OSV
Apereo CAS has inefficient regular expression complexity
osv·2025-04-27
CVE-2025-3986 [MEDIUM] Apereo CAS has inefficient regular expression complexity
Apereo CAS has inefficient regular expression complexity
A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file cas-5.2.6\core\cas-server-core-configuration-metadata-repository\src\main\java\org\apereo\cas\metadata\rest\CasConfigurationMetadataServerController.java. The manipulation of the argument Name leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Red Hat
net/url: Insufficient validation of bracketed IPv6 hostnames in net/url
vendor_redhat·2025-10-29·CVSS 5.3
CVE-2025-47912 [MEDIUM] CWE-1286 net/url: Insufficient validation of bracketed IPv6 hostnames in net/url
net/url: Insufficient validation of bracketed IPv6 hostnames in net/url
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.
Package: rhai/assisted-installer-agent-rhel9 (Assisted Installer for Red Hat OpenShift Container Platform 2) - Fix deferred
Package: rhai/assisted-installer-controller-rhel9 (Assisted Installer for Red Hat OpenShift Container Platform 2) - Fix deferred
Package: rhai/assisted-installer-rhel9 (Assisted Installer for Red Hat OpenShift Container Plat
Red Hat
python: cpython: URL parser allowed square brackets in domain names
vendor_redhat·2025-01-31·CVSS 6.3
CVE-2025-0938 [MEDIUM] CWE-20 python: cpython: URL parser allowed square brackets in domain names
python: cpython: URL parser allowed square brackets in domain names
The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.
A flaw was found in Python. The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accept domain names that included square brackets, which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential p
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-47912 net/url: Insufficient validation of bracketed IPv6 hostnames in net/url
bugzilla·2025-10-29·CVSS 5.3
CVE-2025-47912 [MEDIUM] CVE-2025-47912 net/url: Insufficient validation of bracketed IPv6 hostnames in net/url
CVE-2025-47912 net/url: Insufficient validation of bracketed IPv6 hostnames in net/url
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.
Bugzilla
CVE-2025-0938 python: cpython: URL parser allowed square brackets in domain names
bugzilla·2025-01-31·CVSS 6.3
CVE-2025-0938 [MEDIUM] CVE-2025-0938 python: cpython: URL parser allowed square brackets in domain names
CVE-2025-0938 python: cpython: URL parser allowed square brackets in domain names
The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2025:6977 https://access.redhat.com/errata/RHSA-2025:6977
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2025:7107 https://access.redhat.com/errata/RHSA-2025:710
2025-04-27
Published