EXECUTIVE SUMMARY:
A high-severity vulnerability, CVE-2025-12183, has been identified in lz4-java, affecting all versions up to and including 1.8.0 (including org.lz4:lz4-java, org.lz4:lz4-pure-java, and net.jpountz.lz4:lz4 ≤ 1.8.0). The flaw stems from an out-of-bounds read caused by missing bounds validation in the high-performance decompression paths, particularly in the JNI “fast” decompressor and Unsafe-based Java logic. Exploitation may allow remote attackers to trigger Denial-of-Service (DoS) or potentially leak memory data, posing significant security risks. The vulnerability carries a CVSS score of 8.8 (High).[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A high-severity vulnerability, CVE-2025-12183, has been identified in lz4-java, affecting all versions up to and including 1.8.0 (including org.lz4:lz4-java, org.lz4:lz4-pure-java, and net.jpountz.lz4:lz4 ≤ 1.8.0). The flaw stems from an out-of-bounds read caused by missing bounds validation in the high-performance decompression paths, particularly in the JNI “fast” decompressor and Unsafe-based Java logic. Exploitation may allow remote attackers to trigger Denial-of-Service (DoS) or potentially leak memory data, posing significant security risks. The vulnerability carries a CVSS score of 8.8 (High).[emaillocker id="1283"]
RECOMMENDATION:
We strongly recommend you update lz4-java to version 1.8.1 and 1.9.0.
REFERENCES:
The following reports contain further technical details:
[/emaillocker]