GHSA-j2pc-v64r-mv4f: 
Java vulnerability analysis and mitigation

A low severity vulnerability (GHSA-j2pc-v64r-mv4f) was discovered in the Protobuf Maven Plugin affecting versions 4.0.0-4.0.1 and versions below 3.10.2. The vulnerability relates to the protocDigest parameter being ignored when protoc is taken from the PATH, which was disclosed on November 3, 2025. The affected package is io.github.ascopes:protobuf-maven-plugin for Maven systems (GitHub Advisory).

The vulnerability stems from a validation issue where the protocDigest parameter, intended to verify the integrity of PATH-based binaries, is bypassed. When specifying PATH, the code prematurely returns before performing the digest check, effectively ignoring any specified digest validation. The vulnerability has been assigned a CVSS v4.0 score of 1.0 (Low) with the vector string CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N, indicating local access requirements and high attack complexity (GitHub Advisory).

The vulnerability affects users who rely on protocDigest for protection against untrusted protoc executables in their PATH. When exploited, it could allow the execution of an unverified protoc binary, potentially compromising the integrity of the build process (GitHub Advisory).

The vulnerability has been patched in versions 3.10.2 and 4.0.2. Users are advised to upgrade to these patched versions to ensure proper digest validation for PATH-based protoc executables (GitHub Advisory).