Plattform
java
Komponente
com.powsybl:powsybl-commons
Behoben in
6.7.3
6.7.2
CVE-2025-47293 identifies a Server-Side Request Forgery (SSRF) and XML External Entity (XXE) vulnerability within the com.powsybl.commons.xml.XmlReader class of the com.powsybl:powsybl-commons library. This flaw allows attackers to potentially read files they lack permissions to access, including sensitive system files. The vulnerability affects versions of powsybl-commons up to and including 6.7.1, with a fix available in version 6.7.2.
The SSRF/XXE vulnerability in powsybl-commons presents a significant risk to applications utilizing the library. An attacker can exploit this flaw by crafting malicious XML input that triggers the vulnerable parsing logic. Successful exploitation allows the attacker to initiate requests to internal resources, potentially exposing sensitive data or gaining unauthorized access to system files. The ability to read arbitrary files could reveal configuration details, API keys, or other confidential information. In a multi-tenant environment, this vulnerability could allow an attacker to compromise other tenants by leveraging their XML submissions.
CVE-2025-47293 was publicly disclosed on 2025-06-19. The CVSS score is LOW (2.5), suggesting a relatively low probability of exploitation in most environments. Currently, there are no publicly available proof-of-concept exploits. It is not listed on the CISA KEV catalog as of this writing.
Applications utilizing com.powsybl:powsybl-commons versions 6.7.1 or earlier are at risk. This includes Java-based applications, particularly those that process XML data from untrusted sources, such as multi-tenant applications or those integrating with external systems. Legacy systems that have not been regularly updated are also at increased risk.
• java / server:
find / -name "powsybl-commons-*.jar" -print0 | xargs -0 java -jar <jar_file> -Djava.security.xml.external.entities=null -Djava.security.xml.external.dtd=null• linux / server:
journalctl -u <application_name> | grep -i "xml parsing" • generic web:
curl -I <application_url>/xml-endpoint | grep -i "Server: Powsybl"disclosure
Exploit-Status
EPSS
0.07% (22% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-47293 is to upgrade to powsybl-commons version 6.7.2 or later, which contains the necessary fixes. If upgrading is not immediately feasible, consider implementing input validation and sanitization on all XML data received from untrusted sources. Specifically, restrict the allowed XML namespaces and elements to prevent attackers from injecting malicious code. Web Application Firewalls (WAFs) configured to detect and block XXE attacks can provide an additional layer of defense. Monitor application logs for unusual outbound requests originating from the com.powsybl.commons.xml.XmlReader class.
Aktualisieren Sie die Bibliothek powsybl-commons auf Version 6.7.2 oder höher. Dies behebt die XXE- und SSRF-Schwachstellen im XML-Reader. Stellen Sie sicher, dass alle Abhängigkeiten, die powsybl-commons verwenden, ebenfalls aktualisiert werden, um Versionskonflikte zu vermeiden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-47293 is a Server-Side Request Forgery (SSRF) vulnerability in the powsybl-commons library, allowing attackers to potentially read sensitive files on the server.
You are affected if your application uses powsybl-commons version 6.7.1 or earlier. Upgrade to 6.7.2 or later to mitigate the risk.
The recommended fix is to upgrade to powsybl-commons version 6.7.2 or later. Input validation and WAF rules can provide temporary mitigation.
As of now, there is no confirmed active exploitation of CVE-2025-47293, and no public PoCs are available.
Refer to the powsybl-commons project's official website or repository for the advisory and release notes related to CVE-2025-47293.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.