CVE-2025-12183
Out-of-bounds Read/Write vulnerability in lz4-java (Maven)
What is CVE-2025-12183 About?
This vulnerability involves out-of-bounds memory operations in the lz4-java library when processing untrusted compressed input. Attackers can leverage this to trigger denial of service or read adjacent memory, which can be exploited with a specially crafted input. Exploitation is relatively easy once the attacker understands how to manipulate the compressed data.
Affected Software
- at.yawk.lz4:lz4-java
- <1.8.1
- org.lz4:lz4-java
- <1.8.1
- org.lz4:lz4-pure-java
- <=1.8.0
- net.jpountz.lz4:lz4
- <=1.3.0
Technical Details
The vulnerability resides in the org.lz4:lz4-java library, affecting versions 1.8.0 and earlier. When untrusted compressed input is processed, the library fails to properly validate boundaries, leading to out-of-bounds memory read/write operations. Specifically, certain sequences or structures within the compressed data can cause the decompression logic to access memory locations beyond the intended buffer. This can manifest as either reading sensitive data from adjacent memory regions or overwriting critical program data, leading to a denial of service or potentially more severe impacts.
What is the Impact of CVE-2025-12183?
Successful exploitation may allow attackers to cause system instability or crashes due to denial of service, and potentially gain access to sensitive information from memory.
What is the Exploitability of CVE-2025-12183?
Exploitation of this vulnerability has moderate complexity. An attacker needs to craft a specially malformed compressed input that triggers the out-of-bounds memory operation. No authentication or privileged access is typically required, as the vulnerability resides in the processing of arbitrary input. Access is usually remote, where an attacker sends the malicious compressed data to a server or application that uses the vulnerable lz4-java library. The primary constraint is that the target application must use the affected version of the org.lz4:lz4-java library and process untrusted input. The likelihood of exploitation increases in environments where compressed data from untrusted sources is routinely handled without robust input validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-12183?
Available Upgrade Options
- at.yawk.lz4:lz4-java
- <1.8.1 → Upgrade to 1.8.1
- org.lz4:lz4-java
- <1.8.1 → Upgrade to 1.8.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2025-12183
- https://github.com/yawkat/lz4-java/releases/tag/v1.8.1
- http://www.openwall.com/lists/oss-security/2025/12/01/5
- https://github.com/yawkat/lz4-java
- https://github.com/yawkat/lz4-java/releases/tag/v1.8.1
- https://osv.dev/vulnerability/GHSA-vqf4-7m7x-wgfc
- https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
- https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
What are Similar Vulnerabilities to CVE-2025-12183?
Similar Vulnerabilities: CVE-2023-38936 , CVE-2022-36940 , CVE-2022-26164 , CVE-2021-39282 , CVE-2021-35515
