CVE-2025-48059: 
Java vulnerability analysis and mitigation

PowSyBl (Power System Blocks), a framework for building power system oriented software, contains a potential polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the RegexCriterion class. The vulnerability affects com.powsybl:powsybl-iidm-criteria versions 6.3.0 to before 6.7.2 and com.powsybl:powsybl-contingency-api versions 5.0.0 to before 6.3.0. The vulnerability was discovered and disclosed in May 2025 (MITRE CVE).

The vulnerability exists in the RegexCriterion class which compiles and evaluates an unvalidated, user-supplied regular expression against the identifier of an Identifiable object via Pattern.compile(regex).matcher(id).find(). The vulnerability requires two attacker-controlled conditions: control over the regex input passed into the constructor (e.g., malicious pattern like (.*a){10000}) and control or influence over the output of Identifiable.getId() (e.g., a long string like 'aaaa...!' that forces excessive backtracking) (GitHub Advisory).

If successfully exploited, a malicious actor can cause significant CPU exhaustion through repeated or recursive filter(...) calls, especially if performed over large network models or filtering operations. While not as dangerous as catastrophic exponential ReDoS, the polynomial pattern still induces significant performance degradation as input size increases (GitHub Advisory).

The vulnerability has been patched in com.powsybl:powsybl-iidm-criteria version 6.7.2. Users are recommended to upgrade to this version or higher to address the vulnerability (GitHub Release).