cvelistv5 - cve-2025-48058

CVE-2025-48058 (GCVE-0-2025-48058)

Vulnerability from cvelistv5

Published

2025-06-20 00:39

Modified

2025-06-20 13:28

Severity ?

6.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CWE

CWE-1333 - Inefficient Regular Expression Complexity

Summary

PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, there is a potential polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the PowSyBl's DataSource mechanism. If successfully exploited, a malicious actor can cause significant CPU consumption due to regex backtracking — even with polynomial patterns. This issue has been patched in com.powsybl:powsybl-commons: 6.7.2.

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/powsybl/powsybl-core/commit/72f79dec6d4292f892fbddd68a19c67935c7d81f
	security-advisories@github.com	https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2
	security-advisories@github.com	https://github.com/powsybl/powsybl-core/security/advisories/GHSA-rqpx-f6rc-7hm5

Impacted products

	Vendor	Product	Version
	powsybl	powsybl-core	Version: < 6.7.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-48058",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-20T13:27:49.842890Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-20T13:28:27.265Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "powsybl-core",
          "vendor": "powsybl",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 6.7.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, there is a potential polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the PowSyBl\u0027s DataSource mechanism. If successfully exploited, a malicious actor can cause significant CPU consumption due to regex backtracking \u2014 even with polynomial patterns. This issue has been patched in com.powsybl:powsybl-commons: 6.7.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-20T00:39:06.725Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/powsybl/powsybl-core/security/advisories/GHSA-rqpx-f6rc-7hm5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/powsybl/powsybl-core/security/advisories/GHSA-rqpx-f6rc-7hm5"
        },
        {
          "name": "https://github.com/powsybl/powsybl-core/commit/72f79dec6d4292f892fbddd68a19c67935c7d81f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/powsybl/powsybl-core/commit/72f79dec6d4292f892fbddd68a19c67935c7d81f"
        },
        {
          "name": "https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2"
        }
      ],
      "source": {
        "advisory": "GHSA-rqpx-f6rc-7hm5",
        "discovery": "UNKNOWN"
      },
      "title": "PowSyBl Core contains Polynomial REDoS\u2019es"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-48058",
    "datePublished": "2025-06-20T00:39:06.725Z",
    "dateReserved": "2025-05-15T16:06:40.940Z",
    "dateUpdated": "2025-06-20T13:28:27.265Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-48058\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-06-20T01:15:38.530\",\"lastModified\":\"2025-06-23T20:16:40.143\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, there is a potential polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the PowSyBl\u0027s DataSource mechanism. If successfully exploited, a malicious actor can cause significant CPU consumption due to regex backtracking \u2014 even with polynomial patterns. This issue has been patched in com.powsybl:powsybl-commons: 6.7.2.\"},{\"lang\":\"es\",\"value\":\"PowSyBl (Power System Blocks) es un framework para crear software orientado a sistemas de energ\u00eda. Antes de la versi\u00f3n 6.7.2, exist\u00eda una posible vulnerabilidad de denegaci\u00f3n de servicio por expresiones regulares (ReDoS) polin\u00f3mica en el mecanismo DataSource de PowSyBl. Si se explota con \u00e9xito, un agente malicioso puede causar un consumo significativo de CPU debido al retroceso de expresiones regulares, incluso con patrones polin\u00f3micos. Este problema se ha corregido en com.powsybl:powsybl-commons: 6.7.2.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1333\"}]}],\"references\":[{\"url\":\"https://github.com/powsybl/powsybl-core/commit/72f79dec6d4292f892fbddd68a19c67935c7d81f\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/powsybl/powsybl-core/security/advisories/GHSA-rqpx-f6rc-7hm5\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-48058\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-20T13:27:49.842890Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-20T13:27:54.460Z\"}}], \"cna\": {\"title\": \"PowSyBl Core contains Polynomial REDoS\\u2019es\", \"source\": {\"advisory\": \"GHSA-rqpx-f6rc-7hm5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"powsybl\", \"product\": \"powsybl-core\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 6.7.2\"}]}], \"references\": [{\"url\": \"https://github.com/powsybl/powsybl-core/security/advisories/GHSA-rqpx-f6rc-7hm5\", \"name\": \"https://github.com/powsybl/powsybl-core/security/advisories/GHSA-rqpx-f6rc-7hm5\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/powsybl/powsybl-core/commit/72f79dec6d4292f892fbddd68a19c67935c7d81f\", \"name\": \"https://github.com/powsybl/powsybl-core/commit/72f79dec6d4292f892fbddd68a19c67935c7d81f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2\", \"name\": \"https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, there is a potential polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the PowSyBl\u0027s DataSource mechanism. If successfully exploited, a malicious actor can cause significant CPU consumption due to regex backtracking \\u2014 even with polynomial patterns. This issue has been patched in com.powsybl:powsybl-commons: 6.7.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1333\", \"description\": \"CWE-1333: Inefficient Regular Expression Complexity\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-06-20T00:39:06.725Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-48058\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-20T13:28:27.265Z\", \"dateReserved\": \"2025-05-15T16:06:40.940Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-06-20T00:39:06.725Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2025-48058

Vulnerability from fkie_nvd

Published

2025-06-20 01:15

Modified

2025-06-23 20:16

Severity ?

6.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Summary

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/powsybl/powsybl-core/commit/72f79dec6d4292f892fbddd68a19c67935c7d81f
	security-advisories@github.com	https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2
	security-advisories@github.com	https://github.com/powsybl/powsybl-core/security/advisories/GHSA-rqpx-f6rc-7hm5

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, there is a potential polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the PowSyBl\u0027s DataSource mechanism. If successfully exploited, a malicious actor can cause significant CPU consumption due to regex backtracking \u2014 even with polynomial patterns. This issue has been patched in com.powsybl:powsybl-commons: 6.7.2."
    },
    {
      "lang": "es",
      "value": "PowSyBl (Power System Blocks) es un framework para crear software orientado a sistemas de energ\u00eda. Antes de la versi\u00f3n 6.7.2, exist\u00eda una posible vulnerabilidad de denegaci\u00f3n de servicio por expresiones regulares (ReDoS) polin\u00f3mica en el mecanismo DataSource de PowSyBl. Si se explota con \u00e9xito, un agente malicioso puede causar un consumo significativo de CPU debido al retroceso de expresiones regulares, incluso con patrones polin\u00f3micos. Este problema se ha corregido en com.powsybl:powsybl-commons: 6.7.2."
    }
  ],
  "id": "CVE-2025-48058",
  "lastModified": "2025-06-23T20:16:40.143",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-06-20T01:15:38.530",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/powsybl/powsybl-core/commit/72f79dec6d4292f892fbddd68a19c67935c7d81f"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/powsybl/powsybl-core/security/advisories/GHSA-rqpx-f6rc-7hm5"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1333"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

ghsa-rqpx-f6rc-7hm5

Vulnerability from github

Published

2025-06-19 16:19

Modified

2025-06-20 14:20

Severity ?

6.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Summary

PowSyBl Core contains Polynomial REDoS’es

Details

Impact

What kind of vulnerability is it? Who is impacted?

This is an advisory for a potential polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the PowSyBl's DataSource mechanism. When the listNames(String regex) method is called on a DataSource, the user-supplied regular expression (which may be unvalidated) is compiled and evaluated against a collection of file-like resource names.

To trigger a polynomial ReDoS via this mechanism, two attacker-controlled conditions must be met: - Control over the regex input passed into listNames(String regex). - Example: An attacker supplies a malicious pattern like (.*a){10000}. - Control or influence over the file/resource names being matched. - Example: Filenames such as "aaaa...!" that induce regex engine backtracking.

If both conditions are satisfied, a malicious actor can cause significant CPU consumption due to regex backtracking — even with polynomial patterns. Since both inputs can be controlled via a publicly accessible method or external filesystem handling, the listNames(String regex) method is considered vulnerable to polynomial REDoS.

Unlike classic catastrophic exponential ReDoS, this subtle attack exploits a greedy .* prefix followed by a fixed suffix, repeated multiple times.
When applied to long filenames that almost match the pattern, the regex engine performs extensive backtracking, degrading performance predictably with input size. In a multi-tenant environment, an attacker can degrade the performance - and thereby the availability - of the server to an extent that it affects other users of the application. This can for example be useful if an attacker wants to delay other users in a scenario where a time advantage can be a competitive advantage.
A tricky part in this is that the attacker needs to control both the pattern and the input which may not always be the case.

Am I impacted?

You are vulnerable if you make direct calls to the listNames(String regex) method on a class implementing the ReadOnlyDataSource interface, don't control the regular expression used as regex parameter, and if this datasource points to an archive or directory where an untrusted user may edit the filenames. For instance, this could be the case if you want to list the files made available by a datasource which names respect a user-provided regular expression. Note that only direct calls to this method are concerned. There are several usages of this method in powsybl, but the provided regular expressions are all hardcoded and therefore cannot be provided by a malicious user.

Patches

com.powsybl:powsybl-commons:6.7.2 and higher

References

powsybl-core v6.7.2

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.7.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.powsybl:powsybl-commons"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48058"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-19T16:19:33Z",
    "nvd_published_at": "2025-06-20T01:15:38Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nThis is an advisory for a **potential polynomial Regular Expression Denial of Service (ReDoS)** vulnerability in the PowSyBl\u0027s DataSource mechanism. When the `listNames(String regex)` method is called on a DataSource, the user-supplied regular expression (which may be unvalidated) is compiled and evaluated against a collection of file-like resource names.\n\nTo trigger a **polynomial ReDoS** via this mechanism, **two attacker-controlled conditions** must be met:\n- **Control over the regex input** passed into `listNames(String regex)`.\n  - _Example:_ An attacker supplies a malicious pattern like `(.*a){10000}`.\n- **Control or influence over the file/resource names** being matched.\n  - _Example:_ Filenames such as `\"aaaa...!\"` that induce regex engine backtracking.\n\nIf both conditions are satisfied, a malicious actor can cause **significant CPU consumption** due to regex backtracking \u2014 even\nwith polynomial patterns. Since both inputs can be controlled via a publicly accessible method or external filesystem handling,\nthe `listNames(String regex)` method is considered vulnerable to polynomial **REDoS**.\n\nUnlike classic _catastrophic exponential_ ReDoS, this subtle attack exploits a greedy `.*` prefix followed by a fixed suffix, repeated multiple times.  \nWhen applied to long filenames that almost match the pattern, the regex engine performs extensive backtracking, degrading performance predictably with input size. In a multi-tenant environment, an attacker can degrade the performance - and thereby the availability - of the server to an extent that it affects other users of the application. This can for example be useful if an attacker wants to delay other users in a scenario where a time advantage can be a competitive advantage.  \nA tricky part in this is that the attacker needs to control both the pattern and the input which may not always be the case.\n\n#### Am I impacted?\nYou are vulnerable if you make direct calls to the `listNames(String regex)` method on a class implementing the `ReadOnlyDataSource` interface, don\u0027t control the regular expression used as `regex` parameter, and if this datasource points to an archive or directory where an untrusted user may edit the filenames.\nFor instance, this could be the case if you want to list the files made available by a datasource which names respect a user-provided regular expression.\nNote that only direct calls to this method are concerned. There are several usages of this method in powsybl, but the provided regular expressions are all hardcoded and therefore cannot be provided by a malicious user.\n\n### Patches\ncom.powsybl:powsybl-commons:6.7.2 and higher\n\n### References\n[powsybl-core v6.7.2](https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2)",
  "id": "GHSA-rqpx-f6rc-7hm5",
  "modified": "2025-06-20T14:20:59Z",
  "published": "2025-06-19T16:19:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/powsybl/powsybl-core/security/advisories/GHSA-rqpx-f6rc-7hm5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48058"
    },
    {
      "type": "WEB",
      "url": "https://github.com/powsybl/powsybl-core/commit/72f79dec6d4292f892fbddd68a19c67935c7d81f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/powsybl/powsybl-core"
    },
    {
      "type": "WEB",
      "url": "https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PowSyBl Core contains Polynomial REDoS\u2019es"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-48058 (GCVE-0-2025-48058)

Vulnerability from cvelistv5

fkie_cve-2025-48058

Vulnerability from fkie_nvd

ghsa-rqpx-f6rc-7hm5

Vulnerability from github

Impact

Am I impacted?

Patches

References

Tags

Sightings

Nomenclature