Jiyoung Lee created KAFKA-20043:
-----------------------------------
Summary: Kafka-clients is vulnerable due to CVE-2025-12183,
CVE-2025-66566
Key: KAFKA-20043
URL: https://issues.apache.org/jira/browse/KAFKA-20043
Project: Kafka
Issue Type: Bug
Reporter: Jiyoung Lee
Kafka-clients references `lz4-java` that needs to be updated due to
vulnerability issues
`lz4-java` has to be 1.10.1 or higher to resolve the issue.
h2. yawkat LZ4 Java has a possible information leak in Java safe decompressor
h2. Description
Insufficient clearing of the output buffer in Java-based decompressor
implementations in lz4-java 1.10.0 and earlier allows remote attackers to read
previous buffer contents via crafted compressed input. In applications where
the output buffer is reused without being cleared, this may lead to disclosure
of sensitive data.
JNI-based implementations are _not_ affected.
h2. LZ4 Java Compression has Out-of-bounds memory operations which can cause DoS
h2. Description
Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow
remote attackers to cause denial of service and read adjacent memory via
untrusted compressed input.
This is fixed in a forked release: at.yawk.lz4:lz4-java version 1.8.1. The
original project has been archived: [https://github.com/lz4/lz4-java], and
Sonatype has added a redirect from org.lz4:lz4-java:1.8.1 to the new group ID.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
