CVE-2025-47293
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-19

Last updated on: 2025-06-23

Assigner: GitHub, Inc.

Description
PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, in certain places, powsybl-core XML parsing is vulnerable to an XML external entity (XXE) attack and to a server-side request forgery (SSRF) attack. This allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system. The vulnerable class is com.powsybl.commons.xml.XmlReader which is considered to be untrusted in use cases where untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels. This issue has been patched in com.powsybl:powsybl-commons: 6.7.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-19
Last Modified
2025-06-23
Generated
2026-05-06
AI Q&A
2025-06-20
EPSS Evaluated
2026-05-05
NVD
CVE-2025-47293
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in PowSyBl (Power System Blocks) framework versions prior to 6.7.2, specifically in the XML parsing component (com.powsybl.commons.xml.XmlReader). It is vulnerable to XML External Entity (XXE) and Server-Side Request Forgery (SSRF) attacks. These vulnerabilities allow an attacker to elevate their privileges and read files on the system that they normally would not have permission to access, including sensitive files. The issue arises when untrusted users can submit XML data to the vulnerable methods, which is common in multi-tenant applications with users of varying privilege levels. The vulnerability has been fixed in version 6.7.2.


How can this vulnerability impact me? :

This vulnerability can allow an attacker to read sensitive files on the system without proper permissions by exploiting XML parsing flaws. This can lead to unauthorized access to confidential information, potential data leakage, and compromise of system integrity. In multi-tenant environments, attackers could escalate privileges and access data belonging to other users, increasing the risk of data breaches.


What immediate steps should I take to mitigate this vulnerability?

Upgrade the powsybl-commons library to version 6.7.2 or later, as this version contains the patch that fixes the XML external entity (XXE) and server-side request forgery (SSRF) vulnerabilities in the XmlReader class.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart