How to fix CVE-2025-66566?

Within 24 hours: Inventory all applications using lz4-java library and identify those running versions 1.10.0 or earlier; assess whether output buffers are reused without clearing. Within 7 days: Upgrade to lz4-java 1.10.1 or later for all affected applications, or implement buffer clearing logic if upgrade is not immediately feasible. Within 30 days: Validate all upgrades in production, conduct code review of custom decompression implementations to ensure proper buffer handling, and monitor for any exploitation attempts in application logs.

Is Java affected by CVE-2025-66566?

CVE-2025-66566 affects yawkat LZ4 Java library versions 1.10.0 and earlier, allowing attackers to extract sensitive data from memory buffers in applications that reuse decompression buffers without clearing them.

CVE-2025-66566

EUVD-2025-201456 HIGH

2025-12-05 [email protected]

GHSA-cmp6-m4wj-q63q

8.2

CVSS 4.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 15, 2026 - 17:08 euvd

EUVD-2025-201456

Analysis Generated

Mar 15, 2026 - 17:08 vuln.today

CVE Published

Dec 05, 2025 - 18:15 nvd

HIGH 8.2

Description

yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1.

Analysis

Technical Context

Information disclosure occurs when an application inadvertently reveals sensitive data to unauthorized actors through error messages, logs, or improper access controls.

Affected Products

Affected: Java-based decompressor implementations in lz4-java 1

Remediation

Implement proper access controls. Sanitize error messages in production. Review logging practices to avoid capturing sensitive data.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +41

POC: 0

Vendor Status

Ubuntu

Priority: Medium

lz4-java

Release	Status	Version
plucky	ignored	end of life, was needs-triage
focal	needed	-
jammy	needed	-
noble	needed	-
questing	needed	-
upstream	released	1.10.1

Debian

Bug #1122026

lz4-java

Release	Status	Fixed Version	Urgency
bullseye	vulnerable	1.5.1-3	-
bookworm	vulnerable	1.8.0-3	-
forky, sid, trixie	vulnerable	1.8.0-4	-
(unstable)	fixed	(unfixed)	-

CVE-2025-66566 vulnerability details – vuln.today

Back

CVE-2025-66566

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-66566

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code