Improper Validation of Integrity Check Value in io.github.ascopes:protobuf-maven-plugin

Q: How to fix?

Upgrade io.github.ascopes:protobuf-maven-plugin to version 4.0.2 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JAVA-IOGITHUBASCOPES-13834354
published5 Nov 2025
disclosed4 Nov 2025
creditMarcono1234

Report a new vulnerability Found a mistake?

Introduced: 4 Nov 2025

NewCWE-354 (opens in a new tab)

How to fix?

Upgrade io.github.ascopes:protobuf-maven-plugin to version 4.0.2 or higher.

Overview

Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value due to the protocDigest parameter being ignored when the protoc executable is sourced from the system PATH. An attacker can bypass integrity verification by placing a malicious protoc binary earlier in the PATH, leading to the execution of untrusted code during the build process.

Note: This is only exploitable if an untrusted or malicious protoc binary is present in the system PATH and users rely on the digest check for security.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Local
Attack Complexity (AC)
High
Attack Requirements (AT)
Present
Privileges Required (PR)
Low
User Interaction (UI)
Active

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
Low
Availability (SA)
None

Improper Validation of Integrity Check Value Affecting io.github.ascopes:protobuf-maven-plugin package, versions [,4.0.2)

Severity