matmannion opened a new issue, #2536: URL: https://github.com/apache/pekko/issues/2536
lz4-java is used in pekko-serialization-jackson, [CVE-2025-12183](https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183) notes a number of issues with this when using `fastestInstance()` as seems to be currently used in `JacksonSerializer`: https://github.com/apache/pekko/blob/main/serialization-jackson3/src/main/scala/org/apache/pekko/serialization/jackson3/JacksonSerializer.scala#L266-L268 An automated scan picked this up as an open vulnerability in our project that uses pekko. Regardless of whether this is actually exploitable, one thing to note from the CVE: > `org.lz4:lz4-java:1.8.1` is a relocation pom pointing to `at.yawk.lz4:lz4-java:1.8.1`, provided by Sonatype. Users that upgrade to the former coordinates will get the latter artifact, and a warning to update their maven coordinates. Future releases (including 1.9.0) will only be published under the `at.yawk.lz4` group ID. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
