CVE-2025-47771 Overview
PowSyBl (Power System Blocks) is an open-source Java framework used to build power system oriented software. The framework contains an insecure deserialization vulnerability in the read method of the SparseMatrix class within the powsybl-math module. Versions 6.3.0 through 6.7.1 accept an InputStream and reconstruct a SparseMatrix object without validating the type of the deserialized data. Attackers can supply crafted serialized payloads to trigger privilege escalation, with impact depending on application context. The maintainers patched the issue in com.powsybl:powsybl-math version 6.7.2 by enforcing object type checks during deserialization.
Critical Impact
Unauthenticated attackers can deliver malicious serialized input to SparseMatrix.read(...) and gain arbitrary code execution or privilege escalation within applications embedding vulnerable PowSyBl versions.
Affected Products
- com.powsybl:powsybl-math versions 6.3.0 through 6.7.1
- PowSyBl Core releases prior to v6.7.2
- Downstream applications and tools embedding the vulnerable powsybl-math dependency
Discovery Timeline
- 2025-06-20 - CVE-2025-47771 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-47771
Vulnerability Analysis
The flaw is an insecure deserialization issue classified under [CWE-502]. The SparseMatrix.read(...) methods accept an InputStream and reconstruct objects using Java deserialization without restricting the expected class. Java's default ObjectInputStream.readObject() will instantiate any serializable class present on the classpath. Attackers exploit this by submitting a gadget chain serialized payload that executes arbitrary code during object reconstruction.
PowSyBl is commonly embedded in power grid simulation services, calculation engines, and analytical tools. When such an application exposes matrix loading functionality across a network or processes attacker-controlled files, the vulnerability becomes remotely reachable.
Root Cause
The read method in math/src/main/java/com/powsybl/math/matrix/SparseMatrix.java performed unrestricted Java object deserialization. No validation was performed to confirm that the deserialized object was a SparseMatrix instance, allowing arbitrary class instantiation through gadget chains available on the application classpath.
Attack Vector
The attack vector is network-reachable when applications pass remote input streams to SparseMatrix.read(...). An attacker submits a malicious serialized blob that triggers gadget chains during deserialization, leading to code execution under the privileges of the running JVM process. No authentication or user interaction is required.
// Patch excerpt: math/src/main/java/com/powsybl/math/matrix/SparseMatrix.java
// Adds explicit type checking during SparseMatrix deserialization
import com.powsybl.commons.exceptions.UncheckedClassNotFoundException;
import com.powsybl.commons.util.trove.TDoubleArrayListHack;
import com.powsybl.commons.util.trove.TIntArrayListHack;
+import gnu.trove.list.array.TDoubleArrayList;
+import gnu.trove.list.array.TIntArrayList;
import java.io.*;
import java.nio.file.Files;
import java.nio.file.Path;
-import java.util.Arrays;
-import java.util.List;
-import java.util.Objects;
+import java.util.*;
/**
* Sparse matrix implementation in CSC format.
*/
Source: GitHub commit 8ed16ce
Detection Methods for CVE-2025-47771
Indicators of Compromise
- Unexpected child processes spawned by Java applications hosting the powsybl-math library, particularly shells or scripting interpreters
- Inbound network requests delivering serialized Java payloads (magic bytes AC ED 00 05) to PowSyBl-integrated services
- Unusual outbound connections from JVM processes after matrix import operations
- Stack traces in application logs referencing SparseMatrix.read followed by ObjectInputStream.readObject from non-PowSyBl classes
Detection Strategies
- Inventory Java dependencies with software composition analysis tools to identify com.powsybl:powsybl-math versions between 6.3.0 and 6.7.1
- Inspect application logs for deserialization errors, ClassNotFoundException, or InvalidClassException traces tied to SparseMatrix
- Monitor JVM telemetry for process executions, file writes, or socket activity originating from threads handling matrix imports
Monitoring Recommendations
- Enable Java Flight Recorder or JMX monitoring on services that ingest sparse matrix data from external sources
- Capture network packet metadata for endpoints accepting binary uploads to power system applications
- Forward application and host telemetry to a centralized analytics platform and alert on anomalous child process creation from JVM workloads
How to Mitigate CVE-2025-47771
Immediate Actions Required
- Upgrade com.powsybl:powsybl-math to version 6.7.2 or later across all build manifests and lockfiles
- Audit application code for invocations of SparseMatrix.read(...) that operate on untrusted or remotely sourced input streams
- Restrict network exposure of services that load PowSyBl matrices until patching is complete
Patch Information
The fix is available in com.powsybl:powsybl-math version 6.7.2. The patch adds explicit type validation during deserialization to reject objects that are not SparseMatrix instances. Review the GitHub Release v6.7.2 and the GitHub Security Advisory GHSA-f5cx-h789-j959 for full remediation details.
Workarounds
- Avoid using SparseMatrix.read(...) methods entirely until upgrade is possible
- Reject or sandbox any user-supplied serialized matrix files before invoking PowSyBl APIs
- Apply a JVM-level deserialization filter (jdk.serialFilter) that restricts allowed classes to a strict allowlist
# Example JVM deserialization filter restricting allowed classes
java -Djdk.serialFilter='com.powsybl.math.matrix.SparseMatrix;gnu.trove.list.array.TDoubleArrayList;gnu.trove.list.array.TIntArrayList;!*' \
-jar your-powsybl-application.jar
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
