Skip to content

Deserialization of untrusted SparseMatrix data in PowSyBl Core

Moderate
olperr1 published GHSA-f5cx-h789-j959 Jun 19, 2025

Package

maven com.powsybl:powsybl-math (Maven)

Affected versions

>= 6.3.0 && <= 6.7.1

Patched versions

>= 6.7.2

Description

Impact

What kind of vulnerability is it? Who is impacted?

This is a disclosure for a security vulnerability in the SparseMatrix class. The vulnerability is a deserialization issue that
can lead to a wide range of privilege escalations depending on the circumstances. The problematic area is the read method
of the SparseMatrix class.
This method takes in an InputStream and returns a SparseMatrix object. We consider this to be a method that can be
exposed to untrusted input in at least two use cases:

  • A user can adopt this method in an application where users can submit an InputStream and the application parses it into
    a SparseMatrix. This can be a multi-tenant application that hosts many different users perhaps with different privilege
    levels.
  • A user adopts the method for a local tool but receives the InputStream from external sources.

Am I impacted?

You are vulnerable if you import non-controlled serialized SparseMatrix objects.

Patches

com.powsybl:powsybl-math:6.7.2 and higher

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not use SparseMatrix deserialization (SparseMatrix.read(...) methods).

References

powsybl-core v6.7.2

Severity

Moderate

CVE ID

CVE-2025-47771

Weaknesses

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Learn more on MITRE.

Credits