CVE-2025-48059 identifies a Regular Expression Denial of Service (ReDoS) vulnerability in the PowSyBl framework, specifically within the powsybl-core component. PowSyBl is an open-source framework designed for building power system oriented software, widely used for modeling and simulation of electrical power networks. The vulnerability exists in the RegexCriterion class found in the com.powsybl:powsybl-iidm-criteria versions 6.3.0 up to but not including 6.7.2, and com.powsybl:powsybl-contingency-api versions 5.0.0 up to but not including 6.3.0. The issue arises because the RegexCriterion class compiles and evaluates user-supplied regular expressions without proper validation, using Java's Pattern.compile(regex).matcher(id).find() method. This allows an attacker to craft complex regular expressions that cause excessive CPU consumption when evaluated, especially during repeated or recursive calls to the filter(...) method over large network models or filtering operations. The vulnerability is classified as CWE-1333 (Inefficient Regular Expression Complexity), which can lead to polynomial-time complexity in regex evaluation, resulting in CPU exhaustion and potential denial of service. The vulnerability does not require authentication, user interaction, or privileges, and can be triggered remotely if the affected API is exposed. The issue has been patched in version 6.7.2 of com.powsybl:powsybl-iidm-criteria. The CVSS v4.0 base score is 2.7 (low severity), reflecting the limited impact on confidentiality, integrity, and availability, and the fact that exploitation requires sending crafted regex patterns to the vulnerable component. No known exploits are reported in the wild as of the publication date (June 20, 2025).

For European organizations, especially those involved in power system modeling, grid management, and energy infrastructure simulation, this vulnerability could lead to service disruptions due to CPU exhaustion. Since PowSyBl is used to build software for power system analysis, exploitation could degrade the performance of critical operational tools, delaying decision-making or automated responses in power grid management. This could indirectly affect grid stability or operational efficiency. However, the impact is limited to denial of service via resource exhaustion rather than data breach or manipulation. The vulnerability's low CVSS score indicates a low likelihood of severe disruption, but in environments where PowSyBl is integrated into real-time or near-real-time systems, even temporary unavailability could have operational consequences. European energy companies, grid operators, and software vendors using PowSyBl should be aware of this risk. The vulnerability is less likely to impact organizations not using PowSyBl or those using unaffected versions.

Upgrade affected PowSyBl components to version 6.7.2 or later, where the vulnerability is patched. Implement input validation and sanitization on any user-supplied regular expressions before they are processed by the RegexCriterion class to prevent malicious regex patterns. Limit the complexity and length of regular expressions accepted by the system to reduce the risk of ReDoS attacks. Apply rate limiting and throttling on API endpoints or interfaces that accept regex inputs to mitigate repeated exploitation attempts. Monitor CPU usage and application logs for unusual spikes or patterns indicative of ReDoS attempts, enabling early detection and response. If upgrading immediately is not feasible, consider isolating the vulnerable components in controlled environments with resource limits (e.g., CPU quotas, containerization) to minimize impact. Engage with PowSyBl community or vendors for any additional patches, security advisories, or best practices related to this vulnerability.