[jira] [Created] (CASSANALYTICS-109) Address LZ4 vulnerability (CVE-2025-12183)

Francisco Guerrero (Jira) Thu, 04 Dec 2025 15:49:08 -0800

Francisco Guerrero created CASSANALYTICS-109:
------------------------------------------------


             Summary: Address LZ4 vulnerability (CVE-2025-12183)
                 Key: CASSANALYTICS-109
                 URL: https://issues.apache.org/jira/browse/CASSANALYTICS-109
             Project: Apache Cassandra Analytics
          Issue Type: Bug
            Reporter: Francisco Guerrero
            Assignee: Francisco Guerrero


Analytics uses the org.lz4:lz4-java (v1.8.0) dependency to calculate the 
xxhash. Details of the CVE : 
https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183 . We need 
to address the issue of the vulnerability. One option is to move the dependency 
to a version that addresses the vulnerability, however there are some 
complications because the library is no longer being maintained by the original 
author and a fork has been created that addresses this issue. An alternative 
approach is to not rely on this dependency and use an alternative library 
(commons-codec for example), similar to what Cassandra Sidecar implements.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Created] (CASSANALYTICS-109) Address LZ4 vulnerability (CVE-2025-12183)

Reply via email to