CVE-2025-47293

PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, in certain places, powsybl-core XML parsing is vulnerable to an XML external entity (XXE) attack and to a server-side request forgery (SSRF) attack. This allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system. The vulnerable class is com.powsybl.commons.xml.XmlReader which is considered to be untrusted in use cases where untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels. This issue has been patched in com.powsybl:powsybl-commons: 6.7.2.

CVSS

No CVSS.

References

Link	Resource
https://github.com/powsybl/powsybl-core/commit/e6c7c4997ae8758b54a2f23ce1a499e25113acdc
https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2
https://github.com/powsybl/powsybl-core/security/advisories/GHSA-qpj9-qcwx-8jv2

Configurations

No configuration.

History

23 Jun 2025, 20:16

Type	Values Removed	Values Added
Summary		(es) PowSyBl (Power System Blocks) es un framework para crear software orientado a sistemas de energía. Antes de la versión 6.7.2, en ciertas áreas, el análisis de XML de powsybl-core era vulnerable a ataques de entidad externa XML (XXE) y a server-side request forgery (SSRF). Esto permite a un atacante elevar sus privilegios para leer archivos para los que no tiene permiso, incluyendo archivos confidenciales del sistema. La clase vulnerable es com.powsybl.commons.xml.XmlReader, que se considera no confiable en casos donde usuarios no confiables pueden enviar su XML a los métodos vulnerables. Esto puede ocurrir en una aplicación multiusuario que aloja a muchos usuarios diferentes, posiblemente con diferentes niveles de privilegio. Este problema se ha corregido en com.powsybl:powsybl-commons: 6.7.2.

19 Jun 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-19 22:15

Updated : 2025-06-23 20:16

NVD link : CVE-2025-47293

Mitre link : CVE-2025-47293

CVE.ORG link : CVE-2025-47293

JSON object : View

Products Affected

No product.

CWE

CWE-611

Improper Restriction of XML External Entity Reference

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2025-47293", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-19T22:15:19.983", "references": [{"url": "https://github.com/powsybl/powsybl-core/commit/e6c7c4997ae8758b54a2f23ce1a499e25113acdc", "source": "security-advisories@github.com"}, {"url": "https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2", "source": "security-advisories@github.com"}, {"url": "https://github.com/powsybl/powsybl-core/security/advisories/GHSA-qpj9-qcwx-8jv2", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-611"}, {"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, in certain places, powsybl-core XML parsing is vulnerable to an XML external entity (XXE) attack and to a server-side request forgery (SSRF) attack. This allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system. The vulnerable class is com.powsybl.commons.xml.XmlReader which is considered to be untrusted in use cases where untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels. This issue has been patched in com.powsybl:powsybl-commons: 6.7.2."}, {"lang": "es", "value": "PowSyBl (Power System Blocks) es un framework para crear software orientado a sistemas de energ\u00eda. Antes de la versi\u00f3n 6.7.2, en ciertas \u00e1reas, el an\u00e1lisis de XML de powsybl-core era vulnerable a ataques de entidad externa XML (XXE) y a server-side request forgery (SSRF). Esto permite a un atacante elevar sus privilegios para leer archivos para los que no tiene permiso, incluyendo archivos confidenciales del sistema. La clase vulnerable es com.powsybl.commons.xml.XmlReader, que se considera no confiable en casos donde usuarios no confiables pueden enviar su XML a los m\u00e9todos vulnerables. Esto puede ocurrir en una aplicaci\u00f3n multiusuario que aloja a muchos usuarios diferentes, posiblemente con diferentes niveles de privilegio. Este problema se ha corregido en com.powsybl:powsybl-commons: 6.7.2."}], "lastModified": "2025-06-23T20:16:40.143", "sourceIdentifier": "security-advisories@github.com"}