Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 1,446 maven packages depend on at.yawk.lz4:lz4-java (99 direct, 1,354 indirect)
- 178 maven packages depend on org.lz4:lz4-java (57 direct, 123 indirect)
Ecosystem-wide dependent count for version 1.10.1 and other introduced versions.
DescriptionGitHub Advisory
yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1.
Analysis
yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1.
Technical ContextAI
Information disclosure occurs when an application inadvertently reveals sensitive data to unauthorized actors through error messages, logs, or improper access controls.
RemediationAI
Implement proper access controls. Sanitize error messages in production. Review logging practices to avoid capturing sensitive data.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same technique Information Disclosure
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| plucky | ignored | end of life, was needs-triage |
| focal | needed | - |
| jammy | needed | - |
| noble | needed | - |
| questing | needed | - |
| upstream | released | 1.10.1 |
Debian
Bug #1122026| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 1.5.1-3 | - |
| bookworm | vulnerable | 1.8.0-3 | - |
| forky, sid, trixie | vulnerable | 1.8.0-4 | - |
| (unstable) | fixed | (unfixed) | - |
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Liberty Linux 9 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-201456
GHSA-cmp6-m4wj-q63q