CVE-2025-3984: 
Java vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-3984) was discovered in Apereo CAS 5.2.6, specifically affecting the saveService function in the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\RegisteredServiceSimpleFormController.java of the Groovy Code Handler component. The vulnerability was disclosed on April 27, 2025 (NVD, Wiz).

The vulnerability is classified as a code injection flaw with a high attack complexity. It received a CVSS v4.0 score of 2.3 (LOW) with the vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N, and a CVSS v3.1 score of 5.0 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L. The vulnerability is associated with CWE-94 (Improper Control of Generation of Code) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) (NVD).

The vulnerability allows remote attackers to perform code injection attacks. The impact is considered moderate, affecting confidentiality, integrity, and availability at a low level, as indicated by the CVSS metrics (NVD).

The vendor was contacted early about this disclosure but did not respond in any way. No official patches or mitigations have been published at the time of this report (NVD).