CVE-2025-66566
Exposure of Sensitive Information vulnerability in lz4-java (Maven)
What is CVE-2025-66566 About?
This vulnerability stems from insufficient clearing of the output buffer in Java-based decompressor implementations of lz4-java, allowing remote attackers to disclose sensitive data. By crafting malicious compressed input, attackers can cause the leakage of prior buffer contents. The exploit is moderately complex and relies on specific buffer reuse conditions.
Affected Software
- at.yawk.lz4:lz4-java
- <1.10.1
- org.lz4:lz4-java
- <=1.8.1
- org.lz4:lz4-pure-java
- <=1.8.1
- net.jpountz.lz4:lz4
- <=1.8.1
Technical Details
The vulnerability lies within specific Java-based decompressor implementations in lz4-java (e.g., LZ4Factory.safeInstance(), unsafeInstance(), fastestJavaInstance()). During decompression, the LZ4 algorithm may copy data from previously decompressed content within the output buffer. With a specially crafted compressed input, an attacker can manipulate the decompression process to copy from a region of the output buffer that contains stale, sensitive data from previous operations, inadvertently including it in the decompressed output. This occurs when the output buffer is reused and not properly zeroed or cleared before a new decompression operation, leading to the disclosure of sensitive information.
What is the Impact of CVE-2025-66566?
Successful exploitation may allow attackers to gain unauthorized access to or disclose sensitive information, potentially leading to privacy violations or further system compromise.
What is the Exploitability of CVE-2025-66566?
Exploitation of this vulnerability requires remote access, specifically the ability for an attacker to provide crafted compressed input to an application using the affected lz4-java decompressor. No specific authentication or privilege is required from the attacker's perspective, beyond the ability to send data to the vulnerable application. The complexity is moderate, as it requires crafting specific compressed input to induce the desired buffer copying behavior. Special conditions include the application reusing the output buffer across decompression operations without clearing its contents beforehand. The risk is elevated in applications that handle untrusted compressed data and reuse decompression buffers for performance reasons.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-66566?
Available Upgrade Options
- at.yawk.lz4:lz4-java
- <1.10.1 → Upgrade to 1.10.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q
- https://osv.dev/vulnerability/GHSA-cmp6-m4wj-q63q
- https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840
- https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840
- https://nvd.nist.gov/vuln/detail/CVE-2025-66566
- https://github.com/yawkat/lz4-java
- https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q
What are Similar Vulnerabilities to CVE-2025-66566?
Similar Vulnerabilities: CVE-2025-12183 , CVE-2024-XXXXX , CVE-2023-YYYYY , CVE-2022-ZZZZZ , CVE-2021-AAAAA
