CVE-2025-66566
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-08

Assigner: GitHub, Inc.

Description
yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-08
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66566
EUVD
EUVD-2025-201456
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
yawkat lz4-java 1.10.1
yawkat lz4-java 1.10.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by identifying usage of vulnerable lz4-java library versions (1.10.0 and earlier) in your Java applications that perform LZ4 decompression. Since the issue involves crafted compressed input causing leakage from uninitialized output buffers, detection involves monitoring for suspicious or malformed LZ4 compressed data inputs and verifying the library version in use. There are no specific commands provided in the resources for direct detection on the network or system. However, you can check the version of lz4-java in your project dependencies (e.g., using Maven or Gradle commands) and review logs or application behavior for anomalies during decompression. To mitigate or confirm the fix, ensure the library is upgraded to version 1.10.1 or later, or that output buffers are zeroed before decompression. No explicit network detection commands are provided. [1, 2]

Executive Summary

This vulnerability exists in yawkat LZ4 Java versions 1.10.0 and earlier, where the output buffer in the Java-based decompressor is not sufficiently cleared. This allows remote attackers to craft compressed input that causes the decompressor to leak previous buffer contents, potentially exposing sensitive data. JNI-based implementations are not affected. The issue is fixed in version 1.10.1.

Impact Analysis

If you use affected versions of yawkat LZ4 Java in your applications and reuse output buffers without clearing them, attackers can exploit this vulnerability to read sensitive data from previous decompression operations. This can lead to unauthorized disclosure of sensitive information.

Compliance Impact

This vulnerability can lead to unauthorized disclosure of sensitive data, which may result in non-compliance with data protection regulations such as GDPR and HIPAA that require safeguarding personal and sensitive information.

Mitigation Strategies

Update the yawkat LZ4 Java library to version 1.10.1 or later, as this version fixes the vulnerability related to insufficient clearing of the output buffer in Java-based decompressor implementations. Avoid using vulnerable versions (1.10.0 and earlier) especially in applications that reuse output buffers without clearing them.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66566. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart