PMD release signing key passphrase exposed
CVE-2025-23215 Published on January 31, 2025

PMD Designer's release key passphrase (GPG) available on Maven Central in cleartext
PMD is an extensible multilanguage static code analyzer. The passphrase for the PMD and PMD Designer release signing keys are included in jar published to Maven Central. The private key itself is not known to have been compromised itself, but given its passphrase is, it must also be considered potentially compromised. As a mitigation, both compromised keys have been revoked so that no future use of the keys are possible. Note, that the published artifacts in Maven Central under the group id net.sourceforge.pmd are not compromised and the signatures are valid.

Github Repository NVD

Weakness Types

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2025-23215 has been classified to as an Information Disclosure vulnerability or weakness.

Inclusion of Sensitive Information in Source Code

Source code on a web server or repository often contains sensitive information and should generally not be accessible to users. There are situations where it is critical to remove source code from an area or server. For example, obtaining Perl source code on a system allows an attacker to understand the logic of the script and extract extremely useful information such as code bugs or logins and passwords.

Cleartext Storage of Sensitive Information

The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere. Because the information is stored in cleartext, attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.


Affected Versions

pmd Version < 7.10.0 is affected by CVE-2025-23215

Vulnerable Packages

The following package name and versions may be associated with CVE-2025-23215

Package Manager Vulnerable Package Versions Fixed In
maven net.sourceforge.pmd:pmd-designer >= 7.0.0, < 7.10.0 7.10.0
maven net.sourceforge.pmd:pmd-core >= 6.21.0, < 7.10.0 7.10.0
maven net.sourceforge.pmd:pmd-ui >= 6.14.0, <= 6.19.0

Exploit Probability

EPSS
0.14%
Percentile
34.14%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.