CVE-2025-67721
Unknown Unknown - Not Provided
Buffer Overread in Aircompressor Snappy and LZ4 Decompressors

Publication date: 2025-12-12

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via crafted compressed input. With certain crafted compressed inputs, elements from the output buffer can end up in the uncompressed output, potentially leaking sensitive data. This is relevant for applications that reuse the same output buffer to uncompress multiple inputs. This can be the case of a web server that allocates a fix-sized buffer for performance purposes. There is similar vulnerability in GHSA-cmp6-m4wj-q63q. This issue is fixed in version 3.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2025-12-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67721
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
airlift aircompressor to 2.0.3 (exc)
airlift aircompressor From 3.0 (inc) to 3.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Aircompressor versions 3.3 and below, where the Java-based decompressor implementations for Snappy and LZ4 incorrectly handle malformed compressed data. This flaw allows remote attackers to craft compressed inputs that cause the decompressor to leak contents from previous decompression buffers into the current output. Essentially, sensitive data from earlier decompressions can be exposed due to reuse of the same output buffer without proper clearing or isolation.

Impact Analysis

The vulnerability can lead to unintended disclosure of sensitive data because crafted compressed inputs can cause the decompressor to output data from previous decompression operations. This is particularly impactful in scenarios where applications reuse fixed-size output buffers for performance, such as web servers. Attackers can exploit this to read sensitive information that should not be accessible, potentially compromising confidentiality.

Mitigation Strategies

Upgrade Aircompressor to version 3.4 or later, as this version fixes the vulnerability related to incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4.

Compliance Impact

This vulnerability can lead to the leakage of sensitive data due to improper handling of malformed compressed input, which may result in unauthorized disclosure of information. Such data leaks can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access. Therefore, affected applications using vulnerable versions of Aircompressor may face compliance risks until they update to the fixed version 3.4.

Detection Guidance

This vulnerability can be detected by testing the decompression behavior of the Aircompressor library (versions 3.3 and below) when processing crafted compressed inputs with zero match offsets in Snappy or LZ4 decompression. Specifically, you can attempt to decompress specially crafted compressed data that includes a zero match offset and observe if the decompressor throws a MalformedInputException. The presence of such an exception indicates the fix is in place; absence may indicate vulnerability. Since this is a Java library issue, detection involves running unit tests or custom Java code that decompresses crafted inputs designed to trigger the vulnerability. The commits for CVE-2025-67721 include unit tests named `testZeroMatchOffset()` in `TestLz4.java` and tests in `TestSnappyJava.java` that verify the decompressor throws exceptions on zero match offsets. There are no specific network commands provided for detection, but you can create or use these test cases in your environment to verify if your version is vulnerable. Alternatively, monitoring for unexpected data leakage or anomalous decompressed outputs when processing untrusted compressed data may help detect exploitation attempts. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67721. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart