GHSA-j2pc-v64r-mv4f

Source

https://github.com/advisories/GHSA-j2pc-v64r-mv4f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-j2pc-v64r-mv4f/GHSA-j2pc-v64r-mv4f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-j2pc-v64r-mv4f

Published

2025-11-04T15:48:09Z

Modified

2025-11-15T04:13:12.521811Z

Severity

1.0 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N CVSS Calculator

Summary

Protobuf Maven Plugin protocDigest is ignored when using protoc from PATH

Details

Summary

The expected protocDigest is ignored when protoc is taken from the PATH.

Details

The documentation for the protocDigest parameter says:

... Users may wish to specify this if using a PATH-based binary ...

However, when specifying <protoc>PATH</protoc> the protocDigest is not actually checked because the code returns here already https://github.com/ascopes/protobuf-maven-plugin/blob/59097aae8062c461129a13dcda2f4116b90a8765/protobuf-maven-plugin/src/main/java/io/github/ascopes/protobufmavenplugin/protoc/ProtocResolver.java#L91-L93

before the digest check: https://github.com/ascopes/protobuf-maven-plugin/blob/59097aae8062c461129a13dcda2f4116b90a8765/protobuf-maven-plugin/src/main/java/io/github/ascopes/protobufmavenplugin/protoc/ProtocResolver.java#L106

PoC

Specify:

<protoc>PATH</protoc>
<protocDigest>sha256:0000000000000000000000000000000000000000000000000000000000000000</protocDigest>

And notice how the protoc on the PATH is not rejected, despite a digest mismatch.

Impact

Users who have an untrusted protoc executable on their PATH and rely <protocDigest> as protection are affected.

Database specific

{
    "github_reviewed": true,
    "severity": "LOW",
    "cwe_ids": [
        "CWE-354",
        "CWE-693"
    ],
    "nvd_published_at": null,
    "github_reviewed_at": "2025-11-04T15:48:09Z"
}

References

Affected packages

Maven / io.github.ascopes:protobuf-maven-plugin

Package

Name: io.github.ascopes:protobuf-maven-plugin; View open source insights on deps.dev
Purl: pkg:maven/io.github.ascopes/protobuf-maven-plugin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.0.2

Affected versions

4.*

4.0.0

4.0.1

Database specific

last_known_affected_version_range

"<= 4.0.1"

Maven / io.github.ascopes:protobuf-maven-plugin

Package

Name: io.github.ascopes:protobuf-maven-plugin; View open source insights on deps.dev
Purl: pkg:maven/io.github.ascopes/protobuf-maven-plugin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.10.2

Affected versions

0.*

0.0.1-M1

0.0.1-M2

0.0.1-M3

0.0.1-M4

0.0.1

0.1.0

0.1.1

0.1.2

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.3.0

0.3.1

0.3.2

0.3.3

0.4.0

0.4.1

0.4.2

0.5.0

0.5.1

1.*

1.0.0

1.1.0

1.1.1

1.1.2

1.1.3

1.2.0-rc1

1.2.0

1.2.1

2.*

2.0.0-alpha1

2.0.0-alpha2

2.0.0

2.0.1

2.0.2

2.0.3

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.2.0

2.2.1

2.2.2

2.2.3

2.3.0

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.5.0

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.7.0

2.7.1

2.7.2

2.7.3

2.8.0

2.8.1

2.9.0

2.9.1

2.9.2

2.10.0

2.10.1

2.10.2

2.10.3

2.10.4

2.10.5

2.10.6

2.11.0

2.12.0

2.12.1

2.13.0

2.13.1

3.*

3.0.0

3.1.0

3.1.1

3.1.2

3.1.3

3.2.0

3.2.1

3.2.2

3.2.3

3.3.0

3.3.1

3.4.0

3.4.1

3.4.2

3.5.0

3.6.0

3.6.1

3.7.0

3.8.0

3.8.1

3.8.2

3.9.0

3.9.1

3.9.2

3.10.0

3.10.1