CVE-2025-47771 – com.powsybl:powsybl-math

Package

Manager: maven
Name: com.powsybl:powsybl-math
Vulnerable Version: >=6.3.0 <6.7.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

EPSS: 0.00057 pctl0.17648

Details

PowSyBl Core allows deserialization of untrusted SparseMatrix data ### Impact _What kind of vulnerability is it? Who is impacted?_ This is a disclosure for a security vulnerability in the `SparseMatrix` class. The vulnerability is a deserialization issue that can lead to a wide range of privilege escalations depending on the circumstances. The problematic area is the `read` method of the `SparseMatrix` class. This method takes in an `InputStream` and returns a `SparseMatrix` object. We consider this to be a method that can be exposed to untrusted input in at least two use cases: - A user can adopt this method in an application where users can submit an `InputStream` and the application parses it into a `SparseMatrix`. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels. - A user adopts the method for a local tool but receives the `InputStream` from external sources. #### Am I impacted? You are vulnerable if you import non-controlled serialized `SparseMatrix` objects. ### Patches com.powsybl:powsybl-math:6.7.2 and higher ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Do not use `SparseMatrix` deserialization (`SparseMatrix.read(...)` methods). ### References [powsybl-core v6.7.2](https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2)

Metadata

Created: 2025-06-19T16:19:16Z
Modified: 2025-06-20T14:19:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-f5cx-h789-j959/GHSA-f5cx-h789-j959.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-f5cx-h789-j959
Finding: F096
Auto approve: 1