Platform
java
Component
com.powsybl:powsybl-commons
Fixed in
6.7.3
6.7.2
CVE-2025-47293 identifies a Server-Side Request Forgery (SSRF) vulnerability within the com.powsybl.commons.xml.XmlReader class of the com.powsybl:powsybl-commons library. This vulnerability allows attackers to potentially read files they lack permissions to access, including sensitive system files. The vulnerability impacts versions of powsybl-commons up to and including 6.7.1, with a fix available in version 6.7.2.
The SSRF vulnerability in powsybl-commons arises from improper handling of XML input, leading to an XML External Entity (XXE) attack. An attacker can craft malicious XML payloads that instruct the application to make requests to internal or external resources. This can be leveraged to read arbitrary files on the server, potentially exposing sensitive data such as configuration files, credentials, or other confidential information. The impact is amplified in multi-tenant environments where multiple users share the same application instance, as a successful attack could compromise the entire system. The ability to read sensitive files represents a significant security risk, potentially leading to data breaches and system compromise.
CVE-2025-47293 was publicly disclosed on 2025-06-19. The vulnerability's CVSS score is 2.5 (LOW), indicating a relatively low probability of exploitation. No public proof-of-concept (PoC) code has been publicly released as of this writing. It is not currently listed on the CISA KEV catalog. The vulnerability's impact is primarily limited to the ability to read files on the server, rather than remote code execution.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
The primary mitigation for CVE-2025-47293 is to upgrade to powsybl-commons version 6.7.2 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on XML data to prevent XXE attacks. This can involve whitelisting allowed XML elements and attributes, disabling external entity resolution, and carefully validating user-supplied input. Web Application Firewalls (WAFs) can be configured to detect and block malicious XML payloads. Monitor application logs for suspicious XML parsing activity and unusual outbound network requests. After upgrading, confirm the fix by attempting to trigger the XXE vulnerability with a known malicious XML payload and verifying that the request is blocked or handled safely.
Update the powsybl-commons library to version 6.7.2 or higher. This fixes the XXE and SSRF vulnerabilities in the XML reader. Ensure that all dependencies that use powsybl-commons are also updated to avoid version conflicts.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-47293 is a Server-Side Request Forgery (SSRF) vulnerability in the powsybl-commons library, allowing attackers to potentially read sensitive files on the server.
You are affected if your application uses powsybl-commons version 6.7.1 or earlier. Upgrade to 6.7.2 or later to mitigate the risk.
The recommended fix is to upgrade to powsybl-commons version 6.7.2 or later. Input validation and WAF rules can provide temporary mitigation.
As of now, there is no confirmed active exploitation of CVE-2025-47293, and no public PoCs are available.
Refer to the powsybl-commons project's official website or repository for the advisory and release notes related to CVE-2025-47293.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.