CVE-2025-48058: PowSyBl Core contains Polynomial REDoS’es

What kind of vulnerability is it? Who is impacted?

This is an advisory for a potential polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the PowSyBl’s DataSource mechanism. When the listNames(String regex) method is called on a DataSource, the user-supplied regular expression (which may be unvalidated) is compiled and evaluated against a collection of file-like resource names.

To trigger a polynomial ReDoS via this mechanism, two attacker-controlled conditions must be met:

• Control over the regex input passed into listNames(String regex).
• Example: An attacker supplies a malicious pattern like (.*a){10000}.
• Control or influence over the file/resource names being matched.
• Example: Filenames such as "aaaa...!" that induce regex engine backtracking.

If both conditions are satisfied, a malicious actor can cause significant CPU consumption due to regex backtracking — even with polynomial patterns. Since both inputs can be controlled via a publicly accessible method or external filesystem handling, the listNames(String regex) method is considered vulnerable to polynomial REDoS.

Unlike classic catastrophic exponential ReDoS, this subtle attack exploits a greedy .* prefix followed by a fixed suffix, repeated multiple times. When applied to long filenames that almost match the pattern, the regex engine performs extensive backtracking, degrading performance predictably with input size. In a multi-tenant environment, an attacker can degrade the performance - and thereby the availability - of the server to an extent that it affects other users of the application. This can for example be useful if an attacker wants to delay other users in a scenario where a time advantage can be a competitive advantage. A tricky part in this is that the attacker needs to control both the pattern and the input which may not always be the case.