Low severityNVD Advisory· Published Jun 20, 2025· Updated Apr 15, 2026
CVE-2025-48059
CVE-2025-48059
Description
PowSyBl (Power System Blocks) is a framework to build power system oriented software. In com.powsybl:powsybl-iidm-criteria versions 6.3.0 to before 6.7.2 and com.powsybl:powsybl-contingency-api versions 5.0.0 to before 6.3.0, there is a a potential polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the RegexCriterion class. This class compiles and evaluates an unvalidated, user-supplied regular expression against the identifier of an Identifiable object via Pattern.compile(regex).matcher(id).find(). If successfully exploited, a malicious actor can cause significant CPU exhaustion through repeated or recursive filter(...) calls — especially if performed over large network models or filtering operations. This issue has been patched in com.powsybl:powsybl-iidm-criteria 6.7.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.powsybl:powsybl-iidm-criteriaMaven | >= 6.3.0, < 6.7.2 | 6.7.2 |
com.powsybl:powsybl-contingency-apiMaven | >= 5.0.0, < 6.3.0 | 6.3.0 |
Patches
34fa8b7d8b713a2f1f99612dcd8398f689a5cFix potential polynomial ReDoS in RegexCriterion (GHSA-8qjw-9xgm-c9ff)
3 files changed · +137 −2
iidm/iidm-criteria/pom.xml+5 −0 modified@@ -71,6 +71,11 @@ <artifactId>jimfs</artifactId> <scope>test</scope> </dependency> + <dependency> + <groupId>org.awaitility</groupId> + <artifactId>awaitility</artifactId> + <scope>test</scope> + </dependency> <dependency> <groupId>org.junit.jupiter</groupId> <artifactId>junit-jupiter</artifactId>
iidm/iidm-criteria/src/main/java/com/powsybl/iidm/criteria/RegexCriterion.java+1 −2 modified@@ -7,11 +7,10 @@ */ package com.powsybl.iidm.criteria; +import com.google.re2j.Pattern; import com.powsybl.iidm.network.Identifiable; import com.powsybl.iidm.network.IdentifiableType; -import java.util.regex.Pattern; - /** * @author Etienne Lesot {@literal <etienne.lesot@rte-france.com>} */
iidm/iidm-criteria/src/test/java/com/powsybl/iidm/criteria/RegexCriterionTest.java+131 −0 added@@ -0,0 +1,131 @@ +/* + * Copyright (c) 2025, RTE (http://www.rte-france.com) + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * SPDX-License-Identifier: MPL-2.0 + */ + +package com.powsybl.iidm.criteria; + +import com.powsybl.commons.extensions.Extension; +import com.powsybl.iidm.network.Identifiable; +import com.powsybl.iidm.network.IdentifiableType; +import com.powsybl.iidm.network.Network; +import org.junit.jupiter.api.Test; + +import java.util.Collection; +import java.util.Collections; +import java.util.Set; +import java.util.concurrent.Executor; +import java.util.concurrent.Executors; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.atomic.AtomicBoolean; + +import static org.awaitility.Awaitility.await; +import static org.junit.jupiter.api.Assertions.assertFalse; + +/** + * @author Nicolas Rol {@literal <nicolas.rol at rte-france.com>} + */ +class RegexCriterionTest { + + @Test + void polynomialRegexTest() { + String regex = "(.*a){1000}"; + RegexCriterion criterion = new RegexCriterion(regex); + MaliciousIdentifiable malicious = new MaliciousIdentifiable(); + + AtomicBoolean finished = new AtomicBoolean(false); + AtomicBoolean result = new AtomicBoolean(true); + Runnable runnable = () -> { + result.set(criterion.filter(malicious, malicious.getType())); + finished.set(true); + }; + Executor executor = Executors.newSingleThreadExecutor(); + executor.execute(runnable); + + await("Quick processing") + .atMost(5, TimeUnit.SECONDS) + .pollInterval(200, TimeUnit.MILLISECONDS) + .untilTrue(finished); + assertFalse(result.get()); + } + + private static class MaliciousIdentifiable implements Identifiable<MaliciousIdentifiable> { + @Override + public String getId() { + return "a".repeat(100) + "!"; + } + + @Override + public IdentifiableType getType() { + return IdentifiableType.BUS; + } + + @Override + public Network getNetwork() { + return null; + } + + @Override + public boolean hasProperty() { + return false; + } + + @Override + public boolean hasProperty(String key) { + return false; + } + + @Override + public String getProperty(String key) { + return null; + } + + @Override + public String getProperty(String key, String defaultValue) { + return defaultValue; + } + + @Override + public String setProperty(String key, String value) { + return null; + } + + @Override + public boolean removeProperty(String key) { + return false; + } + + @Override + public Set<String> getPropertyNames() { + return Collections.emptySet(); + } + + @Override + public <E extends Extension<MaliciousIdentifiable>> void addExtension(Class<? super E> type, E extension) { + // Default + } + + @Override + public <E extends Extension<MaliciousIdentifiable>> E getExtension(Class<? super E> type) { + return null; + } + + @Override + public <E extends Extension<MaliciousIdentifiable>> E getExtensionByName(String name) { + return null; + } + + @Override + public <E extends Extension<MaliciousIdentifiable>> boolean removeExtension(Class<E> type) { + return false; + } + + @Override + public <E extends Extension<MaliciousIdentifiable>> Collection<E> getExtensions() { + return Collections.emptyList(); + } + } +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-8qjw-9xgm-c9ffghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-48059ghsaADVISORY
- github.com/powsybl/powsybl-core/commit/d8398f689a5ccd505bd62eee2bd6670a29133110nvdWEB
- github.com/powsybl/powsybl-core/releases/tag/v6.7.2nvdWEB
- github.com/powsybl/powsybl-core/security/advisories/GHSA-8qjw-9xgm-c9ffnvdWEB
News mentions
0No linked articles in our index yet.