CVE-2025-23215

PMD Designer's release key passphrase (GPG) available on Maven Central in cleartext

Description

PMD is an extensible multilanguage static code analyzer. The passphrase for the PMD and PMD Designer release signing keys are included in jar published to Maven Central. The private key itself is not known to have been compromised itself, but given its passphrase is, it must also be considered potentially compromised. As a mitigation, both compromised keys have been revoked so that no future use of the keys are possible. Note, that the published artifacts in Maven Central under the group id net.sourceforge.pmd are not compromised and the signatures are valid.

Category

9.3
CVSS
Severity: Critical
CVSS 4.0 •
EPSS 0.03%
Affected: pmd pmd
Published at:
Updated at:

References

Link Tags
https://github.com/pmd/pmd/security/advisories/GHSA-88m4-h43f-wx84
https://github.com/pmd/pmd-designer/commit/1548f5f27ba2981b890827fecbd0612fa70a0362
https://github.com/pmd/pmd-designer/commit/e87a45312753ec46b3e5576c6f6ac1f7de2f5891

Frequently Asked Questions

What is the severity of CVE-2025-23215?
CVE-2025-23215 has been scored as a critical severity vulnerability.
How to fix CVE-2025-23215?
To fix CVE-2025-23215, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-23215 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-23215 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-23215?
CVE-2025-23215 affects pmd pmd.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.