Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <a4bab4d9-bbcb-4f59-9aa7-7a9cf3fdec74@oracle.com>
Date: Mon, 1 Dec 2025 10:24:38 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-12183 in lz4-java, fixed in new fork

https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
discloses:

> Summary
> -------
> 
> Various lz4-java compression and decompression implementations do not
> guard against out-of-bounds memory access. Untrusted input may lead to
> denial of service and information disclosure.
> 
> Vulnerable Maven coordinates:
> 
>     org.lz4:lz4-java up to and including 1.8.0
>     org.lz4:lz4-pure-java up to and including 1.8.0
>     net.jpountz.lz4:lz4 up to and including 1.8.0
> 
> Severity rating & weakness enumeration
> --------------------------------------
> 
> Rating: High - 8.8
> 
> CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N
> 
> CWE-125: Out-of-bounds Read
> 
> Technical Description
> ---------------------
> 
> lz4-java provides a matrix of compression and decompression algorithms:
> 
>   - A JNI-based implementation based on the lz4 library
>     (LZ4Factory.nativeInstance(), LZ4Factory.fastestInstance())
> 
>   - A Java implementation using the deprecated sun.misc.Unsafe API
>     (LZ4Factory.unsafeInstance(), LZ4Factory.fastestInstance(),
>      LZ4Factory.fastestJavaInstance())
> 
>   - A Java implementation without sun.misc.Unsafe (LZ4Factory.safeInstance())
> 
> 
> Each of these variants has:
> 
>   - A "fast" decompressor
> 
>   - A "safe" decompressor
> 
>   - Compressors for various compression levels
> 
> 
> The JNI "fast" decompressor is based on the LZ4_decompress_fast API of the
> lz4 C library. This function is deprecated because it lacks bounds checks
> and is insecure on untrusted input. Other JNI-based APIs (the safe decompressor
> and the compressors) are not vulnerable.
> 
> All Java-based implementations lack sufficient bounds checks. For the
> sun.misc.Unsafe-based implementations, this can lead to denial of service
> and information disclosure. For the normal Java implementations, this only
> leads to ArrayIndexOutOfBoundsExceptions and is not a vulnerability.
> 
> Workaround
> ----------
> 
> The vulnerability can be resolved without patching:
> 
>   - Applications using LZ4Factory.nativeInstance() in conjunction with
>     .fastDecompressor() can switch to .safeInstance() in the short term.
>     In the long term, it is recommended to switch to .safeDecompressor(),
>     which is not vulnerable and provides better performance (despite the name).
> 
>   - Applications using LZ4Factory.unsafeInstance(), .fastestInstance() or
>     .fastestJavaInstance() (Unsafe-based implementations) can switch to
>     .safeInstance().
> 
> Patch
> -----
> Because the maintainer of the official lz4-java library is unavailable,
> the lz4 organization has decided to discontinue the project.
> 
> A community-maintained fork of lz4-java is available at
> https://github.com/yawkat/lz4-java. Two new versions have been released.
> 
> at.yawk.lz4:lz4-java:1.8.1 implements the workarounds listed above.
> The JNI-based fast decompressor is replaced with the safe Java implementation.
> All sun.misc.Unsafe-based compressors and decompressors are replaced with
> their safe counterparts. New unsafeInsecureInstance and nativeInsecureInstance
> factory methods were added for the insecure implementations for applications
> that operate on trusted input only. This version is directly based on 1.8.0
> and only includes the minimum changes necessary to fix the vulnerability.
> 
> at.yawk.lz4:lz4-java:1.9.0 adds a reworked build system, updates to the
> underlying lz4 library (not security-related), and various fixes for the
> Java implementations. The changes from 1.8.1 remain. The Unsafe-based
> implementation may be made available by default again in a future release,
> once there is confidence in the security of the patched implementation.
> 
> org.lz4:lz4-java:1.8.1 is a relocation pom pointing to
> at.yawk.lz4:lz4-java:1.8.1, provided by Sonatype. Users that upgrade to the
> former coordinates will get the latter artifact, and a warning to update
> their maven coordinates. Future releases (including 1.9.0) will only be
> published under the at.yawk.lz4 group ID.
> 
> Credits
> -------
> 
>     Jonas Konrad (Oracle corp.): Discovery and patch
> 
>     Marcono1234: Patch and review
> 
>     Sonatype: Disclosure coordination; Relocation pom


https://github.com/lz4/lz4-java has been updated with:> Note: The official lz4-java project has been discontinued.
> A community fork is available here <https://github.com/yawkat/lz4-java>.
> To address CVE-2025-12183, Sonatype has added a redirect from
> org.lz4:lz4-java:1.8.1 to the new group ID.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.