CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-48059 – PowSyBl Core Contains a Polynomial ReDoS in RegexCriterion
https://notcve.org/view.php?id=CVE-2025-48059
20 Jun 2025 — PowSyBl (Power System Blocks) is a framework to build power system oriented software. In com.powsybl:powsybl-iidm-criteria versions 6.3.0 to before 6.7.2 and com.powsybl:powsybl-contingency-api versions 5.0.0 to before 6.3.0, there is a a potential polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the RegexCriterion class. This class compiles and evaluates an unvalidated, user-supplied regular expression against the identifier of an Identifiable object via Pattern.compile(regex).match... • https://github.com/powsybl/powsybl-core/commit/d8398f689a5ccd505bd62eee2bd6670a29133110 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48058 – PowSyBl Core contains Polynomial REDoS’es
https://notcve.org/view.php?id=CVE-2025-48058
20 Jun 2025 — PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, there is a potential polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the PowSyBl's DataSource mechanism. If successfully exploited, a malicious actor can cause significant CPU consumption due to regex backtracking — even with polynomial patterns. This issue has been patched in com.powsybl:powsybl-commons: 6.7.2. • https://github.com/powsybl/powsybl-core/commit/72f79dec6d4292f892fbddd68a19c67935c7d81f • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47771 – PowSyBl Core allows deserialization of untrusted SparseMatrix data
https://notcve.org/view.php?id=CVE-2025-47771
19 Jun 2025 — PowSyBl (Power System Blocks) is a framework to build power system oriented software. In versions 6.3.0 to 6.7.1, there is a deserialization issue in the read method of the SparseMatrix class that can lead to a wide range of privilege escalations depending on the circumstances. This method takes in an InputStream and returns a SparseMatrix object. This issue has been patched in com.powsybl:powsybl-math: 6.7.2. A workaround for this issue involves not using SparseMatrix deserialization (SparseMatrix.read(...... • https://github.com/powsybl/powsybl-core/commit/8ed16ce41683c4aef5f6aa1dd5ae8642aa5ed2bd • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47293 – PowSyBl Core XML Reader allows XXE and SSRF
https://notcve.org/view.php?id=CVE-2025-47293
19 Jun 2025 — PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, in certain places, powsybl-core XML parsing is vulnerable to an XML external entity (XXE) attack and to a server-side request forgery (SSRF) attack. This allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system. The vulnerable class is com.powsybl.commons.xml.XmlReader which is considered to be untrusted in use cases w... • https://github.com/powsybl/powsybl-core/commit/e6c7c4997ae8758b54a2f23ce1a499e25113acdc • CWE-611: Improper Restriction of XML External Entity Reference CWE-918: Server-Side Request Forgery (SSRF) •