CVE-2025-67721
📋 TL;DR
CVE-2025-67721 is a memory disclosure vulnerability in Aircompressor Java library where malformed Snappy and LZ4 compressed data can leak previous buffer contents during decompression. This affects applications that reuse output buffers for multiple decompression operations, potentially exposing sensitive data. Web servers and applications using Aircompressor versions 3.3 and below are vulnerable.
💻 Affected Systems
- Aircompressor Java library
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sensitive data leakage including authentication tokens, session data, or confidential information from memory buffers exposed to attackers.
Likely Case
Information disclosure of previously processed compressed data, potentially revealing application state or user data.
If Mitigated
Minimal impact with proper input validation and buffer isolation practices.
🎯 Exploit Status
Exploitation requires sending crafted compressed data to vulnerable endpoints. Similar to GHSA-cmp6-m4wj-q63q vulnerability pattern.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4
Vendor Advisory: https://github.com/airlift/aircompressor/security/advisories/GHSA-vx9q-rhv9-3jvg
Restart Required: Yes
Instructions:
1. Update Aircompressor dependency to version 3.4 or higher. 2. Update pom.xml or build.gradle to use 'com.facebook.airlift:aircompressor:3.4'. 3. Rebuild and redeploy application. 4. Restart affected services.
🔧 Temporary Workarounds
Disable buffer reuse
allConfigure applications to allocate new output buffers for each decompression operation instead of reusing buffers.
Input validation
allImplement strict validation of compressed data size and format before decompression.
🧯 If You Can't Patch
- Implement network-level filtering to block malformed compressed data at load balancers or WAFs
- Isolate vulnerable services behind additional authentication layers and limit exposure
🔍 How to Verify
Check if Vulnerable:
Check application dependencies for Aircompressor version 3.3 or lower. Review if Snappy or LZ4 decompression is used with buffer reuse.Check Version:
mvn dependency:tree | grep aircompressor OR gradle dependencies | grep aircompressorVerify Fix Applied:
Verify Aircompressor version is 3.4 or higher in dependency files and runtime classpath.📡 Detection & Monitoring
Log Indicators:
- Unusual decompression errors
- Memory access violations in Java logs
- Increased garbage collection activity during decompression
Network Indicators:
- Unusually sized compressed payloads
- Repeated decompression requests with varying data
SIEM Query:
source="application.logs" AND ("decompression error" OR "buffer overflow" OR "malformed compressed")