CVE-2025-47771
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-20

Last updated on: 2025-06-23

Assigner: GitHub, Inc.

Description
PowSyBl (Power System Blocks) is a framework to build power system oriented software. In versions 6.3.0 to 6.7.1, there is a deserialization issue in the read method of the SparseMatrix class that can lead to a wide range of privilege escalations depending on the circumstances. This method takes in an InputStream and returns a SparseMatrix object. This issue has been patched in com.powsybl:powsybl-math: 6.7.2. A workaround for this issue involves not using SparseMatrix deserialization (SparseMatrix.read(...) methods).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-20
Last Modified
2025-06-23
Generated
2026-05-07
AI Q&A
2025-06-20
EPSS Evaluated
2026-05-05
NVD
CVE-2025-47771
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-47771 is a security vulnerability in the PowSyBl Core library affecting the SparseMatrix class's deserialization method (SparseMatrix.read(InputStream)). The vulnerability arises because the method deserializes data from an InputStream without sufficient checks, allowing untrusted or malicious serialized objects to be processed. This unsafe deserialization can lead to privilege escalation or remote code execution depending on the context. The issue is due to accepting arbitrary classes during deserialization, which can be exploited by attackers to execute harmful code. The vulnerability has been fixed by implementing a strict whitelist filter that only allows specific safe classes to be deserialized, preventing malicious payloads from being processed. [2, 3]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing attackers to escalate privileges or execute arbitrary code on your system if you deserialize untrusted SparseMatrix objects using the vulnerable method. In environments where serialized SparseMatrix data is received from untrusted sources, such as multi-tenant applications or tools processing external input streams, an attacker could craft malicious serialized data to exploit this flaw. This could lead to unauthorized actions, data compromise, or system takeover. To mitigate this risk, you should upgrade to version 6.7.2 or later where the issue is patched, or avoid using the SparseMatrix.read(...) deserialization method until you can upgrade. [2, 3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by identifying usage of the SparseMatrix.read(InputStream) deserialization method in versions 6.3.0 to 6.7.1 of the powsybl-core library. Detection involves checking if your system or application imports or processes serialized SparseMatrix objects from untrusted sources. Since the vulnerability arises from unsafe deserialization, monitoring or logging deserialization calls or suspicious serialized input streams may help. However, no specific detection commands are provided in the resources. [2, 3]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading the powsybl-core library to version 6.7.2 or later, where the vulnerability is patched by implementing a strict class whitelist filter during SparseMatrix deserialization. If upgrading is not immediately possible, avoid using the SparseMatrix.read(...) deserialization methods to prevent unsafe deserialization of untrusted data. [1, 2, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart