Critical severityNVD Advisory· Published Jan 31, 2025· Updated Apr 15, 2026

CVE-2025-23215

Description

PMD is an extensible multilanguage static code analyzer. The passphrase for the PMD and PMD Designer release signing keys are included in jar published to Maven Central. The private key itself is not known to have been compromised itself, but given its passphrase is, it must also be considered potentially compromised. As a mitigation, both compromised keys have been revoked so that no future use of the keys are possible. Note, that the published artifacts in Maven Central under the group id net.sourceforge.pmd are not compromised and the signatures are valid.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
net.sourceforge.pmd:pmd-designerMaven	>= 7.0.0, < 7.10.0	7.10.0
net.sourceforge.pmd:pmd-uiMaven	>= 6.14.0, <= 6.19.0	—
net.sourceforge.pmd:pmd-coreMaven	>= 6.21.0, < 7.10.0	7.10.0

Patches

e87a45312753

Explicitly add designer.properties

https://github.com/pmd/pmd-designerAndreas DangelJan 7, 2025via ghsa

commit

2 files changed · +13 −29

pom.xml+8 −29 modified

@@ -99,8 +99,16 @@
                 </includes>
                 <excludes>
                     <exclude>**/*.less</exclude>
+                    <exclude>net/sourceforge/pmd/util/fxdesigner/designer.properties</exclude>
                 </excludes>
             </resource>
+            <resource>
+                <directory>${project.basedir}/src/main/resources/</directory>
+                <includes>
+                    <include>net/sourceforge/pmd/util/fxdesigner/designer.properties</include>
+                </includes>
+                <filtering>true</filtering>
+            </resource>
         </resources>
 
 
@@ -381,35 +389,6 @@
                 </executions>
             </plugin>
 
-            <plugin>
-                <groupId>com.internetitem</groupId>
-                <artifactId>write-properties-file-maven-plugin</artifactId>
-                <version>2.0.0</version>
-                <executions>
-                    <execution>
-                        <phase>generate-resources</phase>
-                        <goals>
-                            <goal>write-properties-file</goal>
-                        </goals>
-                        <configuration>
-                            <filename>
-                                net/sourceforge/pmd/util/fxdesigner/designer.properties
-                            </filename>
-                            <properties>
-                                <property>
-                                    <name>pmd.designer.version</name>
-                                    <value>${pmd.designer.version}</value>
-                                </property>
-                                <property>
-                                    <name>pmd.core.version</name>
-                                    <value>${pmd.core.version}</value>
-                                </property>
-                            </properties>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
-
             <plugin>
                 <groupId>org.sonatype.plugins</groupId>
                 <artifactId>nexus-staging-maven-plugin</artifactId>

src/main/resources/net/sourceforge/pmd/util/fxdesigner/designer.properties+5 −0 added

@@ -0,0 +1,5 @@
+# Loaded in net.sourceforge.pmd.util.fxdesigner.DesignerVersion
+# The variables are replaced by resource filtering, see https://maven.apache.org/plugins/maven-resources-plugin/examples/filter.html
+
+pmd.designer.version=${pmd.designer.version}
+pmd.core.version=${pmd.core.version}

1548f5f27ba2

Include only required properties

https://github.com/pmd/pmd-designerJuan Martín Sotuyo DoderoDec 31, 2024via ghsa

commit

1 file changed · +17 −7

pom.xml+17 −7 modified

@@ -382,19 +382,29 @@
             </plugin>
 
             <plugin>
-                <groupId>org.codehaus.mojo</groupId>
-                <artifactId>properties-maven-plugin</artifactId>
-                <version>1.1.0</version>
+                <groupId>com.internetitem</groupId>
+                <artifactId>write-properties-file-maven-plugin</artifactId>
+                <version>2.0.0</version>
                 <executions>
                     <execution>
                         <phase>generate-resources</phase>
                         <goals>
-                            <goal>write-project-properties</goal>
+                            <goal>write-properties-file</goal>
                         </goals>
                         <configuration>
-                            <outputFile>
-                                ${project.build.outputDirectory}/net/sourceforge/pmd/util/fxdesigner/designer.properties
-                            </outputFile>
+                            <filename>
+                                net/sourceforge/pmd/util/fxdesigner/designer.properties
+                            </filename>
+                            <properties>
+                                <property>
+                                    <name>pmd.designer.version</name>
+                                    <value>${pmd.designer.version}</value>
+                                </property>
+                                <property>
+                                    <name>pmd.core.version</name>
+                                    <value>${pmd.core.version}</value>
+                                </property>
+                            </properties>
                         </configuration>
                     </execution>
                 </executions>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000