GHSA-RQPX-F6RC-7HM5
Vulnerability from github – Published: 2025-06-19 16:19 – Updated: 2025-06-20 14:20Impact
What kind of vulnerability is it? Who is impacted?
This is an advisory for a potential polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the PowSyBl's DataSource mechanism. When the listNames(String regex) method is called on a DataSource, the user-supplied regular expression (which may be unvalidated) is compiled and evaluated against a collection of file-like resource names.
To trigger a polynomial ReDoS via this mechanism, two attacker-controlled conditions must be met:
- Control over the regex input passed into listNames(String regex).
- Example: An attacker supplies a malicious pattern like (.*a){10000}.
- Control or influence over the file/resource names being matched.
- Example: Filenames such as "aaaa...!" that induce regex engine backtracking.
If both conditions are satisfied, a malicious actor can cause significant CPU consumption due to regex backtracking — even
with polynomial patterns. Since both inputs can be controlled via a publicly accessible method or external filesystem handling,
the listNames(String regex) method is considered vulnerable to polynomial REDoS.
Unlike classic catastrophic exponential ReDoS, this subtle attack exploits a greedy .* prefix followed by a fixed suffix, repeated multiple times.
When applied to long filenames that almost match the pattern, the regex engine performs extensive backtracking, degrading performance predictably with input size. In a multi-tenant environment, an attacker can degrade the performance - and thereby the availability - of the server to an extent that it affects other users of the application. This can for example be useful if an attacker wants to delay other users in a scenario where a time advantage can be a competitive advantage.
A tricky part in this is that the attacker needs to control both the pattern and the input which may not always be the case.
Am I impacted?
You are vulnerable if you make direct calls to the listNames(String regex) method on a class implementing the ReadOnlyDataSource interface, don't control the regular expression used as regex parameter, and if this datasource points to an archive or directory where an untrusted user may edit the filenames.
For instance, this could be the case if you want to list the files made available by a datasource which names respect a user-provided regular expression.
Note that only direct calls to this method are concerned. There are several usages of this method in powsybl, but the provided regular expressions are all hardcoded and therefore cannot be provided by a malicious user.
Patches
com.powsybl:powsybl-commons:6.7.2 and higher
References
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.7.1"
},
"package": {
"ecosystem": "Maven",
"name": "com.powsybl:powsybl-commons"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48058"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-19T16:19:33Z",
"nvd_published_at": "2025-06-20T01:15:38Z",
"severity": "MODERATE"
},
"details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nThis is an advisory for a **potential polynomial Regular Expression Denial of Service (ReDoS)** vulnerability in the PowSyBl\u0027s DataSource mechanism. When the `listNames(String regex)` method is called on a DataSource, the user-supplied regular expression (which may be unvalidated) is compiled and evaluated against a collection of file-like resource names.\n\nTo trigger a **polynomial ReDoS** via this mechanism, **two attacker-controlled conditions** must be met:\n- **Control over the regex input** passed into `listNames(String regex)`.\n - _Example:_ An attacker supplies a malicious pattern like `(.*a){10000}`.\n- **Control or influence over the file/resource names** being matched.\n - _Example:_ Filenames such as `\"aaaa...!\"` that induce regex engine backtracking.\n\nIf both conditions are satisfied, a malicious actor can cause **significant CPU consumption** due to regex backtracking \u2014 even\nwith polynomial patterns. Since both inputs can be controlled via a publicly accessible method or external filesystem handling,\nthe `listNames(String regex)` method is considered vulnerable to polynomial **REDoS**.\n\nUnlike classic _catastrophic exponential_ ReDoS, this subtle attack exploits a greedy `.*` prefix followed by a fixed suffix, repeated multiple times. \nWhen applied to long filenames that almost match the pattern, the regex engine performs extensive backtracking, degrading performance predictably with input size. In a multi-tenant environment, an attacker can degrade the performance - and thereby the availability - of the server to an extent that it affects other users of the application. This can for example be useful if an attacker wants to delay other users in a scenario where a time advantage can be a competitive advantage. \nA tricky part in this is that the attacker needs to control both the pattern and the input which may not always be the case.\n\n#### Am I impacted?\nYou are vulnerable if you make direct calls to the `listNames(String regex)` method on a class implementing the `ReadOnlyDataSource` interface, don\u0027t control the regular expression used as `regex` parameter, and if this datasource points to an archive or directory where an untrusted user may edit the filenames.\nFor instance, this could be the case if you want to list the files made available by a datasource which names respect a user-provided regular expression.\nNote that only direct calls to this method are concerned. There are several usages of this method in powsybl, but the provided regular expressions are all hardcoded and therefore cannot be provided by a malicious user.\n\n### Patches\ncom.powsybl:powsybl-commons:6.7.2 and higher\n\n### References\n[powsybl-core v6.7.2](https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2)",
"id": "GHSA-rqpx-f6rc-7hm5",
"modified": "2025-06-20T14:20:59Z",
"published": "2025-06-19T16:19:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/powsybl/powsybl-core/security/advisories/GHSA-rqpx-f6rc-7hm5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48058"
},
{
"type": "WEB",
"url": "https://github.com/powsybl/powsybl-core/commit/72f79dec6d4292f892fbddd68a19c67935c7d81f"
},
{
"type": "PACKAGE",
"url": "https://github.com/powsybl/powsybl-core"
},
{
"type": "WEB",
"url": "https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "PowSyBl Core contains Polynomial REDoS\u2019es"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.