CVE-2025-48059
BaseFortify
Publication date: 2025-06-20
Last updated on: 2025-06-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-48059 is a polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the RegexCriterion class of the PowSyBl framework. It occurs because the class compiles and evaluates user-supplied regular expressions without validation, using Java's standard regex engine. Malicious actors can supply crafted regex patterns that cause excessive backtracking and CPU exhaustion when matched against certain identifiers. This can degrade performance significantly, especially during repeated or recursive filtering operations on large network models. The vulnerability has been fixed by replacing the regex engine with a safer, linear-time engine (RE2J) that avoids this issue. [1, 2]
How can this vulnerability impact me? :
If exploited, this vulnerability can cause significant CPU exhaustion and performance degradation in applications using the affected PowSyBl components. Attackers who can supply malicious regex patterns and control or influence the identifiers being matched can trigger repeated or recursive filtering calls that consume excessive CPU resources. This is particularly impactful in environments processing large network models or applying filters dynamically. The result is a denial of service due to resource exhaustion, potentially disrupting normal operations. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your system uses vulnerable versions of com.powsybl:powsybl-iidm-criteria (6.3.0 to before 6.7.2) or com.powsybl:powsybl-contingency-api (5.0.0 to before 6.3.0) and if untrusted user-supplied regular expressions are compiled and evaluated via RegexCriterion. Detection involves monitoring for excessive CPU usage or performance degradation during regex filtering operations, especially with large network models. While no specific commands are provided, you can monitor CPU usage with standard tools like 'top' or 'htop' on Linux, or use Java profiling tools to detect long-running regex evaluations. Additionally, reviewing logs or code to find usage of Pattern.compile(regex).matcher(id).find() with unvalidated regex input can help identify vulnerable points. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading to com.powsybl:powsybl-iidm-criteria version 6.7.2 or later, where the vulnerability is fixed by replacing the standard Java regex engine with the safer com.google.re2j.Pattern library that avoids ReDoS. Additionally, restrict or validate user-supplied regular expressions to prevent malicious patterns, and avoid allowing untrusted users to define regex criteria or control Identifiable object identifiers. Monitoring and limiting recursive or repeated calls to filter(...) can also reduce risk until the patch is applied. [1, 2]