PT-2025-46976 · Maven · Io.Github.Ascopes:Protobuf-Maven-Plugin

Published

2025-11-04

·

Updated

2025-11-04

CVSS v4.0

1.0

Low

VectorAV:L/AC:H/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Summary

The expected protocDigest is ignored when protoc is taken from the PATH.

Details

The documentation for the protocDigest parameter says:
... Users may wish to specify this if using a PATH-based binary ...
However, when specifying <protoc>PATH</protoc> the protocDigest is not actually checked because the code returns here already https://github.com/ascopes/protobuf-maven-plugin/blob/59097aae8062c461129a13dcda2f4116b90a8765/protobuf-maven-plugin/src/main/java/io/github/ascopes/protobufmavenplugin/protoc/ProtocResolver.java#L91-L93
before the digest check: https://github.com/ascopes/protobuf-maven-plugin/blob/59097aae8062c461129a13dcda2f4116b90a8765/protobuf-maven-plugin/src/main/java/io/github/ascopes/protobufmavenplugin/protoc/ProtocResolver.java#L106

PoC

Specify:
xml
<protoc>PATH</protoc>
<protocDigest>sha256:0000000000000000000000000000000000000000000000000000000000000000</protocDigest>
And notice how the protoc on the PATH is not rejected, despite a digest mismatch.

Impact

Users who have an untrusted protoc executable on their PATH and rely <protocDigest> as protection are affected.

Fix

Protection Mechanism Failure

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-354CWE-693

Related Identifiers

GHSA-J2PC-V64R-MV4F

Affected Products

Io.Github.Ascopes:Protobuf-Maven-Plugin