[CVE‐2025‐12183] Out-of-bounds memory access in lz4-java

[matmannion]

lz4-java is used in pekko-serialization-jackson, CVE-2025-12183 notes a number of issues with this when using fastestInstance() as seems to be currently used in JacksonSerializer: https://github.com/apache/pekko/blob/main/serialization-jackson3/src/main/scala/org/apache/pekko/serialization/jackson3/JacksonSerializer.scala#L266-L268

An automated scan picked this up as an open vulnerability in our project that uses pekko.

Regardless of whether this is actually exploitable, one thing to note from the CVE:

org.lz4:lz4-java:1.8.1 is a relocation pom pointing to at.yawk.lz4:lz4-java:1.8.1, provided by Sonatype. Users that upgrade to the former coordinates will get the latter artifact, and a warning to update their maven coordinates. Future releases (including 1.9.0) will only be published under the at.yawk.lz4 group ID.

[pjfanning]

Thanks @matmannion for bringing this to our attention. I'm looking at switching to the @yawkat jar.

[raboof]

https://repo1.maven.org/maven2/org/lz4/lz4-java/1.8.1/lz4-java-1.8.1.pom confirms the relocation

[yawkat]

FYI, the combination fastestInstance().safeDecompressor() is secure as long as the JNI implementation is used. For the JNI implementation, only .fastDecompressor() is problematic.

However if JNI is not used, e.g. on an unsupported platform or because library loading fails for another reason, fastestInstance will fall back to the Unsafe-based implementation where safeDecompressor is not secure.

So most of your users are probably fine, but it's best to update anyway to avoid an insecure fallback.

[pjfanning]

CVE-2025-12183 - link to GitHub tracking

[pjfanning]

@yawkat there is what I believe is a small mistake in https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183

https://mvnrepository.com/artifact/net.jpountz.lz4/lz4 has a latest release of 1.3.0, not 1.8.0

[yawkat]

net.jpountz.lz4 was renamed to org.lz4 at some point. Just in case someone has weird maven setups where they have newer versions of the net.jpountz.lz4 artifact, I decided to make the broken version 1.8.0 for that coordinate too. Is it a problem? I can get Sonatype to change it if necessary.

[pjfanning]

net.jpountz.lz4 was renamed to org.lz4 at some point. Just in case someone has weird maven setups where they have newer versions of the net.jpountz.lz4 artifact, I decided to make the broken version 1.8.0 for that coordinate too. Is it a problem? I can get Sonatype to change it if necessary.

@yawkat not a big deal if you set it like that deliberately

I checked the Pekko code again and we use the safe decompressor already so I think we shouldn't be too badly affected. we'll still upgrade to your jar anyway.

[pjfanning]

1.4.0 release includes this upgrade but also upgrades to at.yawk.lz4:lz-java 1.10.1 to include the other CVE fix in that release