CVE-2025-12183 in lz4-java, fixed in new fork

[Alan Coopersmith <alan.coopersmith () oracle com>]

https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
discloses:

> Summary
> -------
>
> Various lz4-java compression and decompression implementations do not
> guard against out-of-bounds memory access. Untrusted input may lead to
> denial of service and information disclosure.
>
> Vulnerable Maven coordinates:
>
>     org.lz4:lz4-java up to and including 1.8.0
>     org.lz4:lz4-pure-java up to and including 1.8.0
>     net.jpountz.lz4:lz4 up to and including 1.8.0
>
> Severity rating & weakness enumeration
> --------------------------------------
>
> Rating: High - 8.8
>
> CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N
>
> CWE-125: Out-of-bounds Read
>
> Technical Description
> ---------------------
>
> lz4-java provides a matrix of compression and decompression algorithms:
>
>   - A JNI-based implementation based on the lz4 library
>     (LZ4Factory.nativeInstance(), LZ4Factory.fastestInstance())
>
>   - A Java implementation using the deprecated sun.misc.Unsafe API
>     (LZ4Factory.unsafeInstance(), LZ4Factory.fastestInstance(),
>      LZ4Factory.fastestJavaInstance())
>
>   - A Java implementation without sun.misc.Unsafe (LZ4Factory.safeInstance())
>
>
> Each of these variants has:
>
>   - A "fast" decompressor
>
>   - A "safe" decompressor
>
>   - Compressors for various compression levels
>
>
> The JNI "fast" decompressor is based on the LZ4_decompress_fast API of the
> lz4 C library. This function is deprecated because it lacks bounds checks
> and is insecure on untrusted input. Other JNI-based APIs (the safe decompressor
> and the compressors) are not vulnerable.
>
> All Java-based implementations lack sufficient bounds checks. For the
> sun.misc.Unsafe-based implementations, this can lead to denial of service
> and information disclosure. For the normal Java implementations, this only
> leads to ArrayIndexOutOfBoundsExceptions and is not a vulnerability.
>
> Workaround
> ----------
>
> The vulnerability can be resolved without patching:
>
>   - Applications using LZ4Factory.nativeInstance() in conjunction with
>     .fastDecompressor() can switch to .safeInstance() in the short term.
>     In the long term, it is recommended to switch to .safeDecompressor(),
>     which is not vulnerable and provides better performance (despite the name).
>
>   - Applications using LZ4Factory.unsafeInstance(), .fastestInstance() or
>     .fastestJavaInstance() (Unsafe-based implementations) can switch to
>     .safeInstance().
>
> Patch
> -----
> Because the maintainer of the official lz4-java library is unavailable,
> the lz4 organization has decided to discontinue the project.
>
> A community-maintained fork of lz4-java is available at
> https://github.com/yawkat/lz4-java. Two new versions have been released.
>
> at.yawk.lz4:lz4-java:1.8.1 implements the workarounds listed above.
> The JNI-based fast decompressor is replaced with the safe Java implementation.
> All sun.misc.Unsafe-based compressors and decompressors are replaced with
> their safe counterparts. New unsafeInsecureInstance and nativeInsecureInstance
> factory methods were added for the insecure implementations for applications
> that operate on trusted input only. This version is directly based on 1.8.0
> and only includes the minimum changes necessary to fix the vulnerability.
>
> at.yawk.lz4:lz4-java:1.9.0 adds a reworked build system, updates to the
> underlying lz4 library (not security-related), and various fixes for the
> Java implementations. The changes from 1.8.1 remain. The Unsafe-based
> implementation may be made available by default again in a future release,
> once there is confidence in the security of the patched implementation.
>
> org.lz4:lz4-java:1.8.1 is a relocation pom pointing to
> at.yawk.lz4:lz4-java:1.8.1, provided by Sonatype. Users that upgrade to the
> former coordinates will get the latter artifact, and a warning to update
> their maven coordinates. Future releases (including 1.9.0) will only be
> published under the at.yawk.lz4 group ID.
>
> Credits
> -------
>
>     Jonas Konrad (Oracle corp.): Discovery and patch
>
>     Marcono1234: Patch and review
>
>     Sonatype: Disclosure coordination; Relocation pom


https://github.com/lz4/lz4-java has been updated with:> Note: The official lz4-java project has been discontinued.
> A community fork is available here <https://github.com/yawkat/lz4-java>.
> To address CVE-2025-12183, Sonatype has added a redirect from
> org.lz4:lz4-java:1.8.1 to the new group ID.