CVE-2025-47293: 
Java vulnerability analysis and mitigation

PowSyBl (Power System Blocks), a framework for building power system oriented software, was found to contain XML external entity (XXE) and server-side request forgery (SSRF) vulnerabilities in versions prior to 6.7.2. The vulnerability was discovered and disclosed on June 19, 2025, affecting the XML parsing functionality in powsybl-core, specifically the com.powsybl.commons.xml.XmlReader class (GitHub Advisory).

The vulnerability exists in the XML parsing functionality where the XmlReader class processes untrusted XML input. The issue received a CVSS v4.0 score of 2.7 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U. The vulnerability is tracked under two CWE categories: CWE-611 (Improper Restriction of XML External Entity Reference) and CWE-918 (Server-Side Request Forgery) (NVD).

The vulnerability allows attackers to elevate their privileges and read files they don't have permissions to access, including sensitive system files. This is particularly concerning in multi-tenant applications where different users have different privilege levels. The vulnerability is especially critical when the application allows untrusted users to import untrusted CGMES or XIIDM network files (GitHub Advisory).

The vulnerability has been patched in PowSyBl Core version 6.7.2. Users are strongly advised to upgrade to this version or later. The fix involves adding security properties to the XMLReader implementation (GitHub Release).