Antlr4
Monthly
Path traversal in ANTLR4 up to 4.13.2 exposes arbitrary file read via the tokenVocab grammar option handler. The vulnerable function getImportedVocabFile in TokenVocabParser.java fails to sanitize user-controlled grammar option values, allowing an attacker to supply a crafted .g4 grammar file that causes the tool to read files outside the intended working directory. A publicly available proof-of-concept exploit exists (GitHub issue reference), and no vendor patch has been released - the vendor did not respond to disclosure. No active exploitation is confirmed in CISA KEV, but the CVSS 4.0 E:P flag confirms exploit code is public.
Time-of-check time-of-use (TOCTOU) race condition in antlr4-maven-plugin up to version 4.13.2 allows a local low-privileged attacker to manipulate grammar dependency state between validation and consumption in ObjectInputStream.readObject() within GrammarDependencies.java, yielding limited confidentiality, integrity, and availability impact on build artifacts. No public exploit identified at time of analysis is incorrect here - a publicly available exploit exists via a GitHub issue, though KEV listing is absent, indicating no confirmed widespread active exploitation. The CVSS 4.0 score of 1.1 reflects genuine low real-world risk due to local-only access, high attack complexity, and constrained impact scope.
Command injection in ANTLR4's Go code generation target (GoTarget.java) allows a local low-privilege attacker to execute arbitrary OS commands via unsanitized input passed to the gofmt invocation, affecting all versions up to 4.13.2. This vulnerability is scoped entirely to local environments such as developer workstations or CI/CD pipelines running ANTLR4 Go target code generation. A publicly available proof-of-concept exploit exists per the GitHub disclosure, but this is not confirmed as actively exploited (not in CISA KEV), and the CVSS 4.0 base score of 1.9 reflects its genuinely constrained real-world impact.
Code injection in ANTLR4's Grammar Action Block Handler allows remote attackers to execute arbitrary code by supplying a crafted grammar file processed by the tool. All versions up to and including 4.13.2 are affected via the OutputFile.java code generation pathway. A public proof-of-concept exploit exists on GitHub (no KEV listing), though the vendor has not acknowledged or patched the issue, leaving users without an official fix.
Path traversal in ANTLR4 up to 4.13.2 exposes arbitrary file read via the tokenVocab grammar option handler. The vulnerable function getImportedVocabFile in TokenVocabParser.java fails to sanitize user-controlled grammar option values, allowing an attacker to supply a crafted .g4 grammar file that causes the tool to read files outside the intended working directory. A publicly available proof-of-concept exploit exists (GitHub issue reference), and no vendor patch has been released - the vendor did not respond to disclosure. No active exploitation is confirmed in CISA KEV, but the CVSS 4.0 E:P flag confirms exploit code is public.
Time-of-check time-of-use (TOCTOU) race condition in antlr4-maven-plugin up to version 4.13.2 allows a local low-privileged attacker to manipulate grammar dependency state between validation and consumption in ObjectInputStream.readObject() within GrammarDependencies.java, yielding limited confidentiality, integrity, and availability impact on build artifacts. No public exploit identified at time of analysis is incorrect here - a publicly available exploit exists via a GitHub issue, though KEV listing is absent, indicating no confirmed widespread active exploitation. The CVSS 4.0 score of 1.1 reflects genuine low real-world risk due to local-only access, high attack complexity, and constrained impact scope.
Command injection in ANTLR4's Go code generation target (GoTarget.java) allows a local low-privilege attacker to execute arbitrary OS commands via unsanitized input passed to the gofmt invocation, affecting all versions up to 4.13.2. This vulnerability is scoped entirely to local environments such as developer workstations or CI/CD pipelines running ANTLR4 Go target code generation. A publicly available proof-of-concept exploit exists per the GitHub disclosure, but this is not confirmed as actively exploited (not in CISA KEV), and the CVSS 4.0 base score of 1.9 reflects its genuinely constrained real-world impact.
Code injection in ANTLR4's Grammar Action Block Handler allows remote attackers to execute arbitrary code by supplying a crafted grammar file processed by the tool. All versions up to and including 4.13.2 are affected via the OutputFile.java code generation pathway. A public proof-of-concept exploit exists on GitHub (no KEV listing), though the vendor has not acknowledged or patched the issue, leaving users without an official fix.