CVE-2025-67721
Buffer Overread in Aircompressor Snappy and LZ4 Decompressors
Publication date: 2025-12-12
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| airlift | aircompressor | to 2.0.3 (exc) |
| airlift | aircompressor | From 3.0 (inc) to 3.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Aircompressor versions 3.3 and below, where the Java-based decompressor implementations for Snappy and LZ4 incorrectly handle malformed compressed data. This flaw allows remote attackers to craft compressed inputs that cause the decompressor to leak contents from previous decompression buffers into the current output. Essentially, sensitive data from earlier decompressions can be exposed due to reuse of the same output buffer without proper clearing or isolation.
How can this vulnerability impact me? :
The vulnerability can lead to unintended disclosure of sensitive data because crafted compressed inputs can cause the decompressor to output data from previous decompression operations. This is particularly impactful in scenarios where applications reuse fixed-size output buffers for performance, such as web servers. Attackers can exploit this to read sensitive information that should not be accessible, potentially compromising confidentiality.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Aircompressor to version 3.4 or later, as this version fixes the vulnerability related to incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can lead to the leakage of sensitive data due to improper handling of malformed compressed input, which may result in unauthorized disclosure of information. Such data leaks can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access. Therefore, affected applications using vulnerable versions of Aircompressor may face compliance risks until they update to the fixed version 3.4.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the decompression behavior of the Aircompressor library (versions 3.3 and below) when processing crafted compressed inputs with zero match offsets in Snappy or LZ4 decompression. Specifically, you can attempt to decompress specially crafted compressed data that includes a zero match offset and observe if the decompressor throws a MalformedInputException. The presence of such an exception indicates the fix is in place; absence may indicate vulnerability. Since this is a Java library issue, detection involves running unit tests or custom Java code that decompresses crafted inputs designed to trigger the vulnerability. The commits for CVE-2025-67721 include unit tests named `testZeroMatchOffset()` in `TestLz4.java` and tests in `TestSnappyJava.java` that verify the decompressor throws exceptions on zero match offsets. There are no specific network commands provided for detection, but you can create or use these test cases in your environment to verify if your version is vulnerable. Alternatively, monitoring for unexpected data leakage or anomalous decompressed outputs when processing untrusted compressed data may help detect exploitation attempts. [1, 2, 3]