CVE-2025-23215

CRITICAL

Net.sourceforge.pmd Pmd-designer < 7.10.0 - Information Disclosure

Title source: rule

Description

PMD is an extensible multilanguage static code analyzer. The passphrase for the PMD and PMD Designer release signing keys are included in jar published to Maven Central. The private key itself is not known to have been compromised itself, but given its passphrase is, it must also be considered potentially compromised. As a mitigation, both compromised keys have been revoked so that no future use of the keys are possible. Note, that the published artifacts in Maven Central under the group id net.sourceforge.pmd are not compromised and the signatures are valid.

References (3)

[Vendor Advisory] https://github.com/pmd/pmd/security/advisories/GHSA-88m4-h43f-wx84

[Patch] https://github.com/pmd/pmd-designer/commit/1548f5f27ba2981b890827fecbd0612fa70a0362

[Patch] https://github.com/pmd/pmd-designer/commit/e87a45312753ec46b3e5576c6f6ac1f7de2f5891

View Patch ZIP pw:eip

Scores

CVSS v4 9.3

EPSS 0.0014

EPSS Percentile 34.0%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-200 CWE-312 CWE-540

Status published

Products (4)

net.sourceforge.pmd/pmd-core 6.21.0 - 7.10.0Maven

net.sourceforge.pmd/pmd-designer 7.0.0 - 7.10.0Maven

net.sourceforge.pmd/pmd-ui 6.14.0Maven

pmd/pmd < 7.10.0

Published Jan 31, 2025

Tracked Since Feb 18, 2026