CVE-2025-23215

CRITICAL

PMD and PMD Designer - Exposure of Sensitive Information via Release Signing Key Passphrase

Title source: llm

Description

PMD is an extensible multilanguage static code analyzer. The passphrase for the PMD and PMD Designer release signing keys are included in jar published to Maven Central. The private key itself is not known to have been compromised itself, but given its passphrase is, it must also be considered potentially compromised. As a mitigation, both compromised keys have been revoked so that no future use of the keys are possible. Note, that the published artifacts in Maven Central under the group id net.sourceforge.pmd are not compromised and the signatures are valid.

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/pmd/pmd/security/advisories/GHSA-88m4-h43f-wx84

Patch x_refsource_misc

https://github.com/pmd/pmd-designer/commit/1548f5f27ba2981b890827fecbd0612fa70a0362

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/pmd/pmd-designer/commit/e87a45312753ec46b3e5576c6f6ac1f7de2f5891

View Patch ZIP pw:eip

Scores

CVSS v4 9.3

EPSS 0.0030

EPSS Percentile 21.6%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-200 CWE-312 CWE-540

Status published

Products (4)

net.sourceforge.pmd/pmd-core 6.21.0 - 7.10.0Maven

net.sourceforge.pmd/pmd-designer 7.0.0 - 7.10.0Maven

net.sourceforge.pmd/pmd-ui 6.14.0Maven

pmd/pmd < 7.10.0

Published Jan 31, 2025

Tracked Since Feb 18, 2026