CVE-2025-66566
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yawkat | lz4-java | 1.10.1 |
| yawkat | lz4-java | 1.10.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in yawkat LZ4 Java versions 1.10.0 and earlier, where the output buffer in the Java-based decompressor is not sufficiently cleared. This allows remote attackers to craft compressed input that causes the decompressor to leak previous buffer contents, potentially exposing sensitive data. JNI-based implementations are not affected. The issue is fixed in version 1.10.1.
How can this vulnerability impact me? :
If you use affected versions of yawkat LZ4 Java in your applications and reuse output buffers without clearing them, attackers can exploit this vulnerability to read sensitive data from previous decompression operations. This can lead to unauthorized disclosure of sensitive information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can lead to unauthorized disclosure of sensitive data, which may result in non-compliance with data protection regulations such as GDPR and HIPAA that require safeguarding personal and sensitive information.
What immediate steps should I take to mitigate this vulnerability?
Update the yawkat LZ4 Java library to version 1.10.1 or later, as this version fixes the vulnerability related to insufficient clearing of the output buffer in Java-based decompressor implementations. Avoid using vulnerable versions (1.10.0 and earlier) especially in applications that reuse output buffers without clearing them.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying usage of vulnerable lz4-java library versions (1.10.0 and earlier) in your Java applications that perform LZ4 decompression. Since the issue involves crafted compressed input causing leakage from uninitialized output buffers, detection involves monitoring for suspicious or malformed LZ4 compressed data inputs and verifying the library version in use. There are no specific commands provided in the resources for direct detection on the network or system. However, you can check the version of lz4-java in your project dependencies (e.g., using Maven or Gradle commands) and review logs or application behavior for anomalies during decompression. To mitigate or confirm the fix, ensure the library is upgraded to version 1.10.1 or later, or that output buffers are zeroed before decompression. No explicit network detection commands are provided. [1, 2]