CVE-2025-47771

Name of the Vulnerable Software and Affected Versions PowSyBl versions 6.3.0 through 6.7.1

Description The issue is a deserialization problem in the read method of the SparseMatrix class, which can lead to various privilege escalations depending on the circumstances. This method takes an InputStream and returns a SparseMatrix object. Users are vulnerable if they import non-controlled serialized SparseMatrix objects. This can be particularly problematic in multi-tenant applications where users with different privilege levels can submit an InputStream to be parsed into a SparseMatrix, or when using the method for a local tool with InputStream from external sources.

Recommendations For versions 6.3.0 through 6.7.1, consider updating to com.powsybl:powsybl-math:6.7.2 or higher to resolve the issue. As a temporary workaround, do not use SparseMatrix deserialization (SparseMatrix.read(...) methods) until a patch is applied.