GHSA-j2pc-v64r-mv4f: Protobuf Maven Plugin protocDigest is ignored when using protoc from PATH

November 4, 2025 (updated November 15, 2025)

The expected protocDigest is ignored when protoc is taken from the PATH.

References

github.com/advisories/GHSA-j2pc-v64r-mv4f
github.com/ascopes/protobuf-maven-plugin
github.com/ascopes/protobuf-maven-plugin/commit/d3330e7038a296fe595c5470a22019eb70e35b07
github.com/ascopes/protobuf-maven-plugin/security/advisories/GHSA-j2pc-v64r-mv4f

Code Behaviors & Features

Detect and mitigate GHSA-j2pc-v64r-mv4f with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →