EUVD-2025-18706

| CVE-2025-47771 HIGH
2025-06-20 [email protected] GHSA-f5cx-h789-j959
8.1
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-18706
CVE Published
Jun 20, 2025 - 00:15 nvd
HIGH 8.1

Tags

Deserialization

Description

PowSyBl (Power System Blocks) is a framework to build power system oriented software. In versions 6.3.0 to 6.7.1, there is a deserialization issue in the read method of the SparseMatrix class that can lead to a wide range of privilege escalations depending on the circumstances. This method takes in an InputStream and returns a SparseMatrix object. This issue has been patched in com.powsybl:powsybl-math: 6.7.2. A workaround for this issue involves not using SparseMatrix deserialization (SparseMatrix.read(...) methods).

Analysis

PowSyBl versions 6.3.0 through 6.7.1 contain an unsafe deserialization vulnerability in the SparseMatrix.read() method that allows remote attackers to achieve arbitrary code execution and privilege escalation without authentication or user interaction. The vulnerability affects the powsybl-math library, a core component of the Power System Blocks framework used in power grid management software. Exploitation requires only network access to an application exposing the vulnerable deserialization method.

Technical Context

The vulnerability exists in the SparseMatrix class's read() method (CWE-502: Deserialization of Untrusted Data), which accepts an InputStream and reconstructs a SparseMatrix object without proper validation. PowSyBl is a framework for building power system software, with the vulnerable component being com.powsybl:powsybl-math library versions 6.3.0-6.7.1. The root cause is unsafe Java deserialization where an attacker can craft a malicious serialized object that, when deserialized by the vulnerable read() method, executes arbitrary code. This is a classic gadget-chain attack vector leveraging Java's serialization mechanism. The attack surface includes any application using PowSyBl's SparseMatrix deserialization capabilities, particularly in power flow analysis, contingency analysis, or network computation modules that consume untrusted matrix data.

Affected Products

powsybl-math (6.3.0, 6.3.1, 6.4.0, 6.4.1, 6.5.0, 6.5.1, 6.6.0, 6.6.1, 6.7.0, 6.7.1); PowSyBl Core Framework (6.3.0 to 6.7.1 (any installation using powsybl-math library))

Remediation

Upgrade com.powsybl:powsybl-math to version 6.7.2 or later; priority: Critical; details: Update Maven dependency or rebuild PowSyBl distribution with patched library Workaround: Disable or avoid use of SparseMatrix.read(...) methods; priority: High; details: Refactor code to not deserialize SparseMatrix objects from untrusted sources. Use alternative serialization formats (JSON, XML with schema validation) or pre-computed matrix representations. Mitigation: Implement input validation and deserialization filtering; priority: High; details: Use Java deserialization filters (JEP 290) to block untrusted classes. Wrap SparseMatrix.read() calls with try-catch and log suspicious deserialization attempts. Restrict network access to APIs exposing matrix deserialization. Detection: Monitor for exploitation attempts; details: Audit application logs for ClassNotFoundException, StreamCorruptedException, or SecurityException during object deserialization. Monitor for unexpected process spawning or file system access following matrix data ingestion.

Priority Score

41
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +40
POC: 0

Share

EUVD-2025-18706 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy