Plataforma
java
Componente
com.powsybl:powsybl-commons
Corregido en
6.7.3
6.7.2
CVE-2025-47293 identifies a Server-Side Request Forgery (SSRF) vulnerability within the com.powsybl.commons.xml.XmlReader class of the com.powsybl:powsybl-commons library. This vulnerability allows attackers to potentially read files they lack permissions to access, including sensitive system files. The vulnerability impacts versions of powsybl-commons up to and including 6.7.1, with a fix available in version 6.7.2.
The SSRF vulnerability in powsybl-commons arises from improper handling of XML input, leading to an XML External Entity (XXE) attack. An attacker can craft malicious XML payloads that instruct the application to make requests to internal or external resources. This can be leveraged to read arbitrary files on the server, potentially exposing sensitive data such as configuration files, credentials, or other confidential information. The impact is amplified in multi-tenant environments where multiple users share the same application instance, as a successful attack could compromise the entire system. The ability to read sensitive files represents a significant security risk, potentially leading to data breaches and system compromise.
CVE-2025-47293 was publicly disclosed on 2025-06-19. The vulnerability's CVSS score is 2.5 (LOW), indicating a relatively low probability of exploitation. No public proof-of-concept (PoC) code has been publicly released as of this writing. It is not currently listed on the CISA KEV catalog. The vulnerability's impact is primarily limited to the ability to read files on the server, rather than remote code execution.
Applications utilizing com.powsybl:powsybl-commons versions 6.7.1 or earlier are at risk. This includes Java-based applications, particularly those that process XML data from untrusted sources, such as multi-tenant applications or those integrating with external systems. Legacy systems that have not been regularly updated are also at increased risk.
• java / server:
find / -name "powsybl-commons-*.jar" -print0 | xargs -0 java -jar <jar_file> -Djava.security.xml.external.entities=null -Djava.security.xml.external.dtd=null• linux / server:
journalctl -u <application_name> | grep -i "xml parsing" • generic web:
curl -I <application_url>/xml-endpoint | grep -i "Server: Powsybl"disclosure
Estado del Exploit
EPSS
0.07% (22% percentil)
CISA SSVC
The primary mitigation for CVE-2025-47293 is to upgrade to powsybl-commons version 6.7.2 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on XML data to prevent XXE attacks. This can involve whitelisting allowed XML elements and attributes, disabling external entity resolution, and carefully validating user-supplied input. Web Application Firewalls (WAFs) can be configured to detect and block malicious XML payloads. Monitor application logs for suspicious XML parsing activity and unusual outbound network requests. After upgrading, confirm the fix by attempting to trigger the XXE vulnerability with a known malicious XML payload and verifying that the request is blocked or handled safely.
Actualice la biblioteca powsybl-commons a la versión 6.7.2 o superior. Esto corrige las vulnerabilidades XXE y SSRF en el lector XML. Asegúrese de que todas las dependencias que utilizan powsybl-commons también se actualicen para evitar conflictos de versiones.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-47293 is a Server-Side Request Forgery (SSRF) vulnerability in the powsybl-commons library, allowing attackers to potentially read sensitive files on the server.
You are affected if your application uses powsybl-commons version 6.7.1 or earlier. Upgrade to 6.7.2 or later to mitigate the risk.
The recommended fix is to upgrade to powsybl-commons version 6.7.2 or later. Input validation and WAF rules can provide temporary mitigation.
As of now, there is no confirmed active exploitation of CVE-2025-47293, and no public PoCs are available.
Refer to the powsybl-commons project's official website or repository for the advisory and release notes related to CVE-2025-47293.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo pom.xml y te decimos al instante si estás afectado.