CVE-2025-23215: 
Java vulnerability analysis and mitigation

PMD, an extensible multilanguage static code analyzer, disclosed a security vulnerability (CVE-2025-23215) on January 31, 2025. The vulnerability involves the exposure of passphrases for PMD and PMD Designer release signing keys that were included in jar files published to Maven Central. While the private keys themselves were not directly compromised, the exposure of their passphrases means they must be considered potentially compromised (GitHub Advisory).

The vulnerability affects two signing keys: the PMD Designer Release Signing Key (94A5 2756 9CAF 7A47 AFCA BDE4 86D3 7ECA 8C2E 4C5B) used since 2019, and the PMD Release Signing Key (EBB2 41A5 45CB 17C8 7FAC B2EB D0BF 1D73 7C9A 1C22) used since 2020. The issue was discovered during a reproducible builds analysis, where the passphrase was found in cleartext within the designer.properties file packaged in the Maven Central artifacts. The vulnerability has been assigned multiple CWE classifications including CWE-200 (Exposure of Sensitive Information), CWE-312 (Cleartext Storage of Sensitive Information), and CWE-540 (Inclusion of Sensitive Information in Source Code) (NVD).

The vulnerability affects all PMD releases between versions 6.21.0 and 7.9.0, PMD Designer versions 7.0.0 to 7.9.0, and PMD Eclipse Plugin version 7.9.0.v20241227-1626-r. While the published artifacts in Maven Central under the group id net.sourceforge.pmd are not compromised and their signatures remain valid, the exposure of the signing key passphrases potentially compromises the integrity of the signing process (GitHub Advisory).

As a mitigation measure, both compromised keys have been revoked to prevent any future use. A new release signing key (2EFA 55D0 785C 31F9 56F2 F87E A0B5 CA1A 4E08 6838) has been implemented for future releases of PMD, PMD Designer, and PMD Eclipse Plugin. The build script in PMD Designer has been reworked to prevent the inclusion of sensitive system properties (GitHub Advisory).