CVE-2025-66566
📋 TL;DR
This vulnerability in yawkat LZ4 Java library allows attackers to read previous contents of output buffers when processing crafted compressed input. Applications that reuse output buffers without clearing them may leak sensitive data. Only Java-based decompressor implementations are affected, not JNI-based ones.
💻 Affected Systems
- yawkat LZ4 Java library
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Disclosure of sensitive data from memory buffers, potentially including authentication tokens, encryption keys, or other confidential information processed by the application.
Likely Case
Information disclosure of previously processed data in applications that reuse output buffers, potentially exposing application-specific sensitive information.
If Mitigated
Minimal impact if applications properly clear output buffers between uses or use JNI-based implementations.
🎯 Exploit Status
Exploitation requires applications to reuse output buffers without clearing them. The advisory includes technical details but no public exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.10.1
Vendor Advisory: https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q
Restart Required: Yes
Instructions:
1. Update lz4-java dependency to version 1.10.1 or later. 2. Update pom.xml or build.gradle to use 'com.github.yawkat:lz4-java:1.10.1'. 3. Rebuild and redeploy affected applications. 4. Restart services using the updated library.
🔧 Temporary Workarounds
Clear output buffers manually
allEnsure output buffers are cleared or reinitialized between decompression operations
// Java code: Arrays.fill(outputBuffer, (byte)0); or create new buffer each time
Use JNI-based implementation
allSwitch to JNI-based decompressor which is not affected by this vulnerability
// Configure to use JNI implementation if available
🧯 If You Can't Patch
- Implement input validation to reject suspicious compressed data
- Isolate applications using vulnerable library from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check project dependencies for lz4-java version 1.10.0 or earlier. Review if applications reuse output buffers in decompression operations.Check Version:
mvn dependency:tree | grep lz4-java OR gradle dependencies | grep lz4-javaVerify Fix Applied:
Verify lz4-java version is 1.10.1 or later in dependencies. Test with known malicious compressed input to ensure no data leakage.📡 Detection & Monitoring
Log Indicators:
- Unusual decompression errors or failures
- Abnormally large or malformed compressed input being processed
Network Indicators:
- Repeated compressed data submissions to vulnerable endpoints
- Patterns of crafted input targeting decompression services
SIEM Query:
source="application_logs" AND (message="*decompress*" OR message="*lz4*") AND (message="*error*" OR message="*fail*")