Listen to this Post
How the CVE Works
The vulnerability occurs in PowSyBl’s `DataSource` mechanism when the `listNames(String regex)` method processes a user-supplied regular expression against file-like resource names. An attacker can trigger polynomial ReDoS by supplying a malicious regex pattern (e.g., (.a){10000}) and controlling filenames (e.g., "aaaa...!"). This forces excessive backtracking in the regex engine, leading to high CPU usage. Unlike exponential ReDoS, this attack uses a greedy `.` prefix with repeated suffixes, causing predictable performance degradation. Multi-tenant systems are particularly vulnerable, as attackers can degrade server availability for competitive advantage.
DailyCVE Form
Platform: PowSyBl
Version: <6.7.2
Vulnerability: ReDoS
Severity: Medium
Date: 2023-XX-XX
Prediction: Patch by Q3 2023
What Undercode Say
grep -r "listNames(String regex)" /path/to/powsybl
curl -X POST --data "regex=(.a){10000}" https://vulnerable-endpoint
How Exploit
- Craft malicious regex (
(.a){10000}). - Upload files with long, near-matching names.
- Call `listNames()` to trigger CPU exhaustion.
Protection from this CVE
- Upgrade to v6.7.2+.
- Sanitize regex inputs.
- Restrict filename control.
Impact
- CPU exhaustion.
- Service degradation.
- Multi-tenant disruption.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
