N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-48058

CVE-2025-48058: PowSyBl Core contains Polynomial REDoS’es

Impact

What kind of vulnerability is it? Who is impacted?

This is an advisory for a potential polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the PowSyBl's DataSource mechanism. When the listNames(String regex) method is called on a DataSource, the user-supplied regular expression (which may be unvalidated) is compiled and evaluated against a collection of file-like resource names.

To trigger a polynomial ReDoS via this mechanism, two attacker-controlled conditions must be met:

Control over the regex input passed into listNames(String regex).
- Example: An attacker supplies a malicious pattern like (.*a){10000}.
Control or influence over the file/resource names being matched.
- Example: Filenames such as "aaaa...!" that induce regex engine backtracking.

If both conditions are satisfied, a malicious actor can cause significant CPU consumption due to regex backtracking — even with polynomial patterns. Since both inputs can be controlled via a publicly accessible method or external filesystem handling, the listNames(String regex) method is considered vulnerable to polynomial REDoS.

Unlike classic catastrophic exponential ReDoS, this subtle attack exploits a greedy .* prefix followed by a fixed suffix, repeated multiple times.
When applied to long filenames that almost match the pattern, the regex engine performs extensive backtracking, degrading performance predictably with input size. In a multi-tenant environment, an attacker can degrade the performance - and thereby the availability - of the server to an extent that it affects other users of the application. This can for example be useful if an attacker wants to delay other users in a scenario where a time advantage can be a competitive advantage.
A tricky part in this is that the attacker needs to control both the pattern and the input which may not always be the case.

Am I impacted?

You are vulnerable if you make direct calls to the listNames(String regex) method on a class implementing the ReadOnlyDataSource interface, don't control the regular expression used as regex parameter, and if this datasource points to an archive or directory where an untrusted user may edit the filenames. For instance, this could be the case if you want to list the files made available by a datasource which names respect a user-provided regular expression. Note that only direct calls to this method are concerned. There are several usages of this method in powsybl, but the provided regular expressions are all hardcoded and therefore cannot be provided by a malicious user.

Patches

com.powsybl:powsybl-commons:6.7.2 and higher

References

powsybl-core v6.7.2

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-48058

CVE-2025-48058:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.powsybl:powsybl-commons	maven	<= 6.7.1	6.7.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the listNames(String regex) method, which is part of the ReadOnlyDataSource interface in the com.powsybl:powsybl-commons package. The core of the issue lies in the fact that this method directly compiles and executes a user-provided regular expression without any safeguards. An attacker can craft a malicious regex pattern that, when evaluated against a list of file names, causes the regex engine to enter a state of catastrophic backtracking. This leads to excessive CPU consumption and a denial of service.

The patch for this vulnerability replaces the direct use of Pattern.asPredicate() with a mechanism that evaluates the regex match with a timeout. This is done by moving the filtering logic to a new utility function, DataSourceUtils.listNames, which uses a Callable and a Future to enforce a timeout on the matching operation. This prevents a malicious regex from blocking the server indefinitely.

The primary vulnerable function is com.powsybl.commons.datasource.ReadOnlyDataSource.listNames because this is the API that developers use and that is exposed to potentially untrusted input. Any code that calls this method with a user-provided regex is at risk.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-48058: PowSyBl Core contains Polynomial REDoS’es

Impact

Am I impacted?

Patches

References

CVE-2025-48058:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

CVE-2025-48058: PowSyBl Core contains Polynomial REDoS’es

Impact

Am I impacted?

Patches

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI