CVE-2026-13502
Received Received - Intake

Time-of-Check Time-of-Use in ANTLR4 Maven Plugin

Publication date: 2026-06-28

Last updated on: 2026-06-28

Assigner: VulDB

Description
A flaw has been found in antlr ANTLR4 up to 4.13.2. This affects the function ObjectInputStream.readObject of the file antlr4-maven-plugin/src/main/java/org/antlr/mojo/antlr4/GrammarDependencies.java of the component Maven Plugin. This manipulation causes time-of-check time-of-use. The attack is restricted to local execution. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-28
Last Modified
2026-06-28
Generated
2026-06-28
AI Q&A
2026-06-28
EPSS Evaluated
N/A
NVD
CVE-2026-13502
EUVD
EUVD-2026-40000

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
antlr antlr4 4.13.2
antlr antlr4 to 4.13.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the ANTLR4 Maven Plugin (up to version 4.13.2) due to unsafe Java object deserialization in the GrammarDependencies.java file. Specifically, the plugin uses ObjectInputStream.readObject() without restricting deserialization to trusted classes, which allows an attacker with write access to the build directory to replace a serialized status file with a malicious gadget chain. This can lead to Remote Code Execution (RCE) on the build server. Additionally, there is a Time-of-Check to Time-of-Use (TOCTOU) race condition between checking the file's existence and opening it, which further facilitates exploitation.

Impact Analysis

Exploitation of this vulnerability can lead to severe impacts including full access to Continuous Integration (CI) secrets, compromise of code integrity, and potential disruption of the build infrastructure. An attacker could execute arbitrary code on the build server, which may result in unauthorized control over the build process and sensitive information exposure.

Detection Guidance

This vulnerability involves unsafe Java object deserialization in the ANTLR4 Maven Plugin, specifically in the GrammarDependencies.java file using ObjectInputStream.readObject without proper filtering.

Detection can focus on identifying the presence of the vulnerable plugin version (ANTLR4 Maven Plugin 4.13.2) and monitoring for suspicious file modifications or deserialization attempts in the build directory.

Suggested commands include:

  • Check for the vulnerable plugin version in your Maven dependencies: `mvn dependency:list | grep antlr4-maven-plugin`
  • Monitor the build directory for unexpected file changes or new serialized files: `inotifywait -m /path/to/build/directory` (Linux)
  • Search for usage of ObjectInputStream.readObject in your codebase to identify unsafe deserialization: `grep -r 'readObject' /path/to/project`
  • Review logs for suspicious deserialization activity or errors related to object input streams.
Mitigation Strategies

Immediate mitigation steps include:

  • Replace Java serialization with safer data formats such as JSON or Protocol Buffers to avoid unsafe deserialization.
  • Implement an ObjectInputFilter to whitelist trusted classes during deserialization, preventing malicious gadget chains from executing.
  • Address the Time-of-Check to Time-of-Use (TOCTOU) race condition by ensuring atomic file checks and access.
  • Restrict write access to the build directory to trusted users only to prevent attackers from replacing serialized files.
  • Monitor and audit build server activity for unusual behavior or unauthorized file modifications.
Compliance Impact

This vulnerability allows attackers with write access to the build directory to execute remote code on the build server, potentially leading to full access to CI secrets, compromise of code integrity, and disruption of build infrastructure.

Such impacts could lead to violations of common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining system integrity and availability.

Specifically, unauthorized access to secrets or disruption of build processes could result in data breaches or service interruptions, both of which are critical compliance concerns under these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13502. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart