Switch from `org.lz4:lz4-java` to `at.yawk.lz4:lz4-java` due to CVE-2025-12183 & CVE-2025-66566.

Switch from `org.lz4:lz4-java` to `at.yawk.lz4:lz4-java` and update version ~`>1.8.0`~ `>=1.10.1` of `lz4-java` due to CVE-2025-12183 and CVE-2025-66566.

`org.lz4:lz4-java` library is discontinued and a fork `at.yawk.lz4:lz4-java` maintained by the community (@yawkat) was established.
- https://github.com/lz4/lz4/issues/1346
- https://github.com/yawkat/lz4-java

Vulnerability CVE-2025-12183:
- https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
- https://security.snyk.io/vuln/SNYK-JAVA-ORGLZ4-14151788

Also discussed in Apache projects:
- https://issues.apache.org/jira/browse/KAFKA-19951
- https://issues.apache.org/jira/browse/CASSANDRA-21052

See also pull request https://github.com/jankotek/mapdb/pull/992.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Switch from `org.lz4:lz4-java` to `at.yawk.lz4:lz4-java` due to CVE-2025-12183 & CVE-2025-66566. #1064

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

Switch from org.lz4:lz4-java to at.yawk.lz4:lz4-java due to CVE-2025-12183 & CVE-2025-66566. #1064

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions

Switch from `org.lz4:lz4-java` to `at.yawk.lz4:lz4-java` due to CVE-2025-12183 & CVE-2025-66566. #1064