GHSA-qpj9-qcwx-8jv2

Source

https://github.com/advisories/GHSA-qpj9-qcwx-8jv2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-qpj9-qcwx-8jv2/GHSA-qpj9-qcwx-8jv2.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-qpj9-qcwx-8jv2

Aliases

CVE-2025-47293

Published

2025-06-19T14:29:40Z

Modified

2025-06-20T14:50:50.773973Z

Severity

2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

PowSyBl Core XML Reader allows XXE and SSRF

Details

Impact

What kind of vulnerability is it? Who is impacted? In certain places, powsybl-core XML parsing is vulnerable to an XXE attack and in on place also to an SSRF attack. This allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system. The vulnerable class is com.powsybl.commons.xml.XmlReader which is considered to be untrusted in use cases where untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels.

Am I impacted?

You are vulnerable if you allow untrusted users to import untrusted CGMES or XIIDM network files.

Patches

com.powsybl:powsybl-commons:6.7.2 and higher

References

powsybl-core v6.7.2

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2025-06-19T22:15:19Z",
    "severity": "LOW",
    "cwe_ids": [
        "CWE-611",
        "CWE-918"
    ],
    "github_reviewed_at": "2025-06-19T14:29:40Z"
}

References

Affected packages

Maven / com.powsybl:powsybl-commons

Package

Name: com.powsybl:powsybl-commons; View open source insights on deps.dev
Purl: pkg:maven/com.powsybl/powsybl-commons

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.7.2

Affected versions

1.*

1.0.0

1.1.0

2.*

2.0.0

2.1.0

2.2.0

2.3.0

2.4.0

2.4.1

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

3.*

3.0.0

3.1.0

3.2.0

3.3.0

3.3.1

3.3.2

3.4.0

3.5.0

3.6.0

3.7.0

3.7.1

3.7.2

3.8.0-RC1

3.8.0

3.8.1

4.*

4.0.0-RC1

4.0.0-RC2

4.0.0

4.0.1

4.1.0

4.1.1

4.1.2

4.2.0-RC1

4.2.0

4.3.0-alpha-1

4.3.0-RC1

4.3.0-RC2

4.3.0

4.3.1

4.4.0-RC1

4.4.0

4.5.0-RC1

4.5.0

4.5.1

4.6.0-RC1

4.6.0

4.6.1

4.7.0-RC1

4.7.0-RC2

4.7.0

4.8.0-RC1

4.8.0-RC2

4.8.0

4.9.0-RC1

4.9.0

4.9.1

4.9.2

4.10.0-alpha-1

4.10.0-RC1

4.10.0

4.10.1

4.10.2

5.*

5.0.0-RC1

5.0.0

5.1.0-RC1

5.1.0

5.1.1

5.2.0-alpha-1

5.2.0-RC1

5.2.0

5.2.1

5.3.0-alpha-1

5.3.0-alpha-2

5.3.0

5.3.1

5.3.2

6.*

6.0.0-RC1

6.0.0

6.0.1

6.0.2

6.0.3

6.1.0-alpha-1

6.1.0

6.1.1

6.1.2

6.2.0-RC1

6.2.0

6.2.1

6.2.2

6.2.3

6.2.4

6.3.0-alpha-1

6.3.0

6.3.1

6.3.2

6.4.0-RC2

6.4.0

6.4.1

6.5.0-RC1

6.5.0

6.5.1

6.6.0-RC1

6.6.0

6.6.1

6.7.0-RC1

6.7.0

6.7.1

Database specific

{
    "last_known_affected_version_range": "<= 6.7.1"
}