CVE-2025-67721: aircompressor Snappy and LZ4 Java-based decompressor implementation can leak information from reused output buffer
Incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data.
References
- github.com/advisories/GHSA-vx9q-rhv9-3jvg
- github.com/airlift/aircompressor
- github.com/airlift/aircompressor/commit/f2b489b398779b40c1ee29ddb11d7edef54ddc15
- github.com/airlift/aircompressor/commit/ff12c4d5757c9d6d1de3d39a10402f1f84f9b765
- github.com/airlift/aircompressor/security/advisories/GHSA-vx9q-rhv9-3jvg
- nvd.nist.gov/vuln/detail/CVE-2025-67721
Code Behaviors & Features
Detect and mitigate CVE-2025-67721 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →