CVE-2025-48059: CWE-1333: Inefficient Regular Expression Complexity in powsybl powsybl-core
PowSyBl (Power System Blocks) is a framework to build power system oriented software. In com.powsybl:powsybl-iidm-criteria versions 6.3.0 to before 6.7.2 and com.powsybl:powsybl-contingency-api versions 5.0.0 to before 6.3.0, there is a a potential polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the RegexCriterion class. This class compiles and evaluates an unvalidated, user-supplied regular expression against the identifier of an Identifiable object via Pattern.compile(regex).matcher(id).find(). If successfully exploited, a malicious actor can cause significant CPU exhaustion through repeated or recursive filter(...) calls — especially if performed over large network models or filtering operations. This issue has been patched in com.powsybl:powsybl-iidm-criteria 6.7.2.
AI Analysis
Technical Summary
CVE-2025-48059 identifies a Regular Expression Denial of Service (ReDoS) vulnerability in the PowSyBl framework, specifically within the powsybl-core component. PowSyBl is an open-source framework designed for building power system oriented software, widely used for modeling and simulation of electrical power networks. The vulnerability exists in the RegexCriterion class found in the com.powsybl:powsybl-iidm-criteria versions 6.3.0 up to but not including 6.7.2, and com.powsybl:powsybl-contingency-api versions 5.0.0 up to but not including 6.3.0. The issue arises because the RegexCriterion class compiles and evaluates user-supplied regular expressions without proper validation, using Java's Pattern.compile(regex).matcher(id).find() method. This allows an attacker to craft complex regular expressions that cause excessive CPU consumption when evaluated, especially during repeated or recursive calls to the filter(...) method over large network models or filtering operations. The vulnerability is classified as CWE-1333 (Inefficient Regular Expression Complexity), which can lead to polynomial-time complexity in regex evaluation, resulting in CPU exhaustion and potential denial of service. The vulnerability does not require authentication, user interaction, or privileges, and can be triggered remotely if the affected API is exposed. The issue has been patched in version 6.7.2 of com.powsybl:powsybl-iidm-criteria. The CVSS v4.0 base score is 2.7 (low severity), reflecting the limited impact on confidentiality, integrity, and availability, and the fact that exploitation requires sending crafted regex patterns to the vulnerable component. No known exploits are reported in the wild as of the publication date (June 20, 2025).
Potential Impact
For European organizations, especially those involved in power system modeling, grid management, and energy infrastructure simulation, this vulnerability could lead to service disruptions due to CPU exhaustion. Since PowSyBl is used to build software for power system analysis, exploitation could degrade the performance of critical operational tools, delaying decision-making or automated responses in power grid management. This could indirectly affect grid stability or operational efficiency. However, the impact is limited to denial of service via resource exhaustion rather than data breach or manipulation. The vulnerability's low CVSS score indicates a low likelihood of severe disruption, but in environments where PowSyBl is integrated into real-time or near-real-time systems, even temporary unavailability could have operational consequences. European energy companies, grid operators, and software vendors using PowSyBl should be aware of this risk. The vulnerability is less likely to impact organizations not using PowSyBl or those using unaffected versions.
Mitigation Recommendations
Upgrade affected PowSyBl components to version 6.7.2 or later, where the vulnerability is patched. Implement input validation and sanitization on any user-supplied regular expressions before they are processed by the RegexCriterion class to prevent malicious regex patterns. Limit the complexity and length of regular expressions accepted by the system to reduce the risk of ReDoS attacks. Apply rate limiting and throttling on API endpoints or interfaces that accept regex inputs to mitigate repeated exploitation attempts. Monitor CPU usage and application logs for unusual spikes or patterns indicative of ReDoS attempts, enabling early detection and response. If upgrading immediately is not feasible, consider isolating the vulnerable components in controlled environments with resource limits (e.g., CPU quotas, containerization) to minimize impact. Engage with PowSyBl community or vendors for any additional patches, security advisories, or best practices related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden, Poland, Czech Republic
CVE-2025-48059: CWE-1333: Inefficient Regular Expression Complexity in powsybl powsybl-core
Description
PowSyBl (Power System Blocks) is a framework to build power system oriented software. In com.powsybl:powsybl-iidm-criteria versions 6.3.0 to before 6.7.2 and com.powsybl:powsybl-contingency-api versions 5.0.0 to before 6.3.0, there is a a potential polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the RegexCriterion class. This class compiles and evaluates an unvalidated, user-supplied regular expression against the identifier of an Identifiable object via Pattern.compile(regex).matcher(id).find(). If successfully exploited, a malicious actor can cause significant CPU exhaustion through repeated or recursive filter(...) calls — especially if performed over large network models or filtering operations. This issue has been patched in com.powsybl:powsybl-iidm-criteria 6.7.2.
AI-Powered Analysis
Technical Analysis
CVE-2025-48059 identifies a Regular Expression Denial of Service (ReDoS) vulnerability in the PowSyBl framework, specifically within the powsybl-core component. PowSyBl is an open-source framework designed for building power system oriented software, widely used for modeling and simulation of electrical power networks. The vulnerability exists in the RegexCriterion class found in the com.powsybl:powsybl-iidm-criteria versions 6.3.0 up to but not including 6.7.2, and com.powsybl:powsybl-contingency-api versions 5.0.0 up to but not including 6.3.0. The issue arises because the RegexCriterion class compiles and evaluates user-supplied regular expressions without proper validation, using Java's Pattern.compile(regex).matcher(id).find() method. This allows an attacker to craft complex regular expressions that cause excessive CPU consumption when evaluated, especially during repeated or recursive calls to the filter(...) method over large network models or filtering operations. The vulnerability is classified as CWE-1333 (Inefficient Regular Expression Complexity), which can lead to polynomial-time complexity in regex evaluation, resulting in CPU exhaustion and potential denial of service. The vulnerability does not require authentication, user interaction, or privileges, and can be triggered remotely if the affected API is exposed. The issue has been patched in version 6.7.2 of com.powsybl:powsybl-iidm-criteria. The CVSS v4.0 base score is 2.7 (low severity), reflecting the limited impact on confidentiality, integrity, and availability, and the fact that exploitation requires sending crafted regex patterns to the vulnerable component. No known exploits are reported in the wild as of the publication date (June 20, 2025).
Potential Impact
For European organizations, especially those involved in power system modeling, grid management, and energy infrastructure simulation, this vulnerability could lead to service disruptions due to CPU exhaustion. Since PowSyBl is used to build software for power system analysis, exploitation could degrade the performance of critical operational tools, delaying decision-making or automated responses in power grid management. This could indirectly affect grid stability or operational efficiency. However, the impact is limited to denial of service via resource exhaustion rather than data breach or manipulation. The vulnerability's low CVSS score indicates a low likelihood of severe disruption, but in environments where PowSyBl is integrated into real-time or near-real-time systems, even temporary unavailability could have operational consequences. European energy companies, grid operators, and software vendors using PowSyBl should be aware of this risk. The vulnerability is less likely to impact organizations not using PowSyBl or those using unaffected versions.
Mitigation Recommendations
Upgrade affected PowSyBl components to version 6.7.2 or later, where the vulnerability is patched. Implement input validation and sanitization on any user-supplied regular expressions before they are processed by the RegexCriterion class to prevent malicious regex patterns. Limit the complexity and length of regular expressions accepted by the system to reduce the risk of ReDoS attacks. Apply rate limiting and throttling on API endpoints or interfaces that accept regex inputs to mitigate repeated exploitation attempts. Monitor CPU usage and application logs for unusual spikes or patterns indicative of ReDoS attempts, enabling early detection and response. If upgrading immediately is not feasible, consider isolating the vulnerable components in controlled environments with resource limits (e.g., CPU quotas, containerization) to minimize impact. Engage with PowSyBl community or vendors for any additional patches, security advisories, or best practices related to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-05-15T16:06:40.940Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68568e82aded773421b5a8c2
Added to database: 6/21/2025, 10:50:42 AM
Last enriched: 6/21/2025, 12:38:29 PM
Last updated: 8/12/2025, 4:54:52 AM
Views: 14
Related Threats
CVE-2025-8310: CWE-862 Missing Authorization in Ivanti Virtual Application Delivery ControllerCWE-862
MediumCVE-2025-8297: CWE-434 Unrestricted Upload of File with Dangerous Type in Ivanti Avalanche
HighCVE-2025-8296: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Ivanti Avalanche
HighCVE-2025-22834: CWE-665 Improper Initialization in AMI AptioV
MediumCVE-2025-22830: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in AMI AptioV
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.