CVE-2025-47771: 
Java vulnerability analysis and mitigation

PowSyBl (Power System Blocks), a framework for building power system oriented software, contains a deserialization vulnerability (CVE-2025-47771) discovered and disclosed on June 19, 2025. The vulnerability affects versions 6.3.0 to 6.7.1 of the framework, specifically in the read method of the SparseMatrix class (GitHub Advisory, NVD).

The vulnerability is located in the SparseMatrix class's read method, which processes an InputStream to create a SparseMatrix object. The issue stems from insufficient validation during deserialization, potentially allowing untrusted data to be processed. The vulnerability has been assigned a CVSS v4.0 score of 8.1 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U and is classified as CWE-502 (Deserialization of Untrusted Data) (NVD, Wiz).

The vulnerability can lead to various privilege escalation scenarios depending on the implementation context. It particularly affects multi-tenant applications where users can submit an InputStream for parsing into a SparseMatrix, or local tools that receive InputStream from external sources. The exact impact varies based on the deployment environment and usage patterns (GitHub Advisory).

The vulnerability has been patched in com.powsybl:powsybl-math version 6.7.2. The fix implements proper object type checking during deserialization to prevent security issues. For users unable to upgrade immediately, the recommended workaround is to avoid using SparseMatrix deserialization methods (SparseMatrix.read) entirely (GitHub Release, GitHub Advisory).