CVE-2025-47293

Name of the Vulnerable Software and Affected Versions PowSyBl versions prior to 6.7.2

Description The issue concerns an XML external entity (XXE) attack and a server-side request forgery (SSRF) attack in certain places of powsybl-core XML parsing. This allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system. The vulnerable class is com.powsybl.commons.xml.XmlReader, which is considered untrusted in use cases where untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application that hosts many different users, perhaps with different privilege levels.

Recommendations For versions prior to 6.7.2, update to com.powsybl:powsybl-commons: 6.7.2 or higher to patch the issue. As a temporary workaround, consider restricting access to the com.powsybl.commons.xml.XmlReader class to minimize the risk of exploitation. Avoid allowing untrusted users to import untrusted CGMES or XIIDM network files until the issue is resolved.