Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-f5cx-h789-j959: PowSyBl Core allows deserialization of untrusted SparseMatrix data

Impact

What kind of vulnerability is it? Who is impacted?

This is a disclosure for a security vulnerability in the SparseMatrix class. The vulnerability is a deserialization issue that can lead to a wide range of privilege escalations depending on the circumstances. The problematic area is the read method of the SparseMatrix class. This method takes in an InputStream and returns a SparseMatrix object. We consider this to be a method that can be exposed to untrusted input in at least two use cases:

  • A user can adopt this method in an application where users can submit an InputStream and the application parses it into a SparseMatrix. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels.
  • A user adopts the method for a local tool but receives the InputStream from external sources.

Am I impacted?

You are vulnerable if you import non-controlled serialized SparseMatrix objects.

Patches

com.powsybl:powsybl-math:6.7.2 and higher

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not use SparseMatrix deserialization (SparseMatrix.read(...) methods).

References

powsybl-core v6.7.2

ghsa
Open in Source
#vulnerability#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-47771

PowSyBl Core allows deserialization of untrusted SparseMatrix data

High severity GitHub Reviewed Published Jun 19, 2025 in powsybl/powsybl-core • Updated Jun 19, 2025

Package

maven com.powsybl:powsybl-math (Maven)

Affected versions

>= 6.3.0, <= 6.7.1

Impact

What kind of vulnerability is it? Who is impacted?

This is a disclosure for a security vulnerability in the SparseMatrix class. The vulnerability is a deserialization issue that
can lead to a wide range of privilege escalations depending on the circumstances. The problematic area is the read method
of the SparseMatrix class.
This method takes in an InputStream and returns a SparseMatrix object. We consider this to be a method that can be
exposed to untrusted input in at least two use cases:

  • A user can adopt this method in an application where users can submit an InputStream and the application parses it into
    a SparseMatrix. This can be a multi-tenant application that hosts many different users perhaps with different privilege
    levels.
  • A user adopts the method for a local tool but receives the InputStream from external sources.

Am I impacted?

You are vulnerable if you import non-controlled serialized SparseMatrix objects.

Patches

com.powsybl:powsybl-math:6.7.2 and higher

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not use SparseMatrix deserialization (SparseMatrix.read(…) methods).

References

powsybl-core v6.7.2

References

  • GHSA-f5cx-h789-j959
  • powsybl/powsybl-core@8ed16ce
  • https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2

Published to the GitHub Advisory Database

Jun 19, 2025

Last updated

Jun 19, 2025

ghsa: Latest News

GHSA-24wv-6c99-f843: Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution
ghsa