KAFKA-19951: Update lz4 dependency version for CVE-2025-12183 & CVE-2025-66566

[erikanderson]

Updated lz4 dependency version from 1.8.0 to 1.10.1

CVE-2025-12183

https://nvd.nist.gov/vuln/detail/CVE-2025-12183

CVE-2025-66566

https://nvd.nist.gov/vuln/detail/CVE-2025-66566

Releases

https://github.com/yawkat/lz4-java/releases/tag/v1.8.1
https://github.com/yawkat/lz4-java/releases/tag/v1.10.0
https://github.com/yawkat/lz4-java/releases/tag/v1.10.1

Reviewers: Gaurav Narula gaurav_narula2@apple.com, Lan Ding
isDing_L@163.com, Chia-Ping Tsai chia7712@gmail.com, Mickael Maison
mimaison@apache.org, PoAn Yang payang@apache.org

[DL1231]

Thanks for the patch. Could you also update LICENSE-binary and ensure the compression levels in org.apache.kafka.common.record.CompressionType are still valid?

[erikanderson]

@DL1231 thank you, updated license binary, do you know how org.apache.kafka.common.record.CompressionType has been confirmed in the past?

[mimaison]

I linked the PR to KAFKA-19951.

Regarding the compression level, it's explained in CompressionType: https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/record/CompressionType.java#L73-L74

[mimaison]

Also there's still a build issue:

Could not determine the dependencies of task ':clients:shadowJar'.
> Could not resolve all dependencies for configuration ':clients:runtimeClasspath'.
   > Could not resolve org.lz4:lz4-java:1.8.1.
     Required by:
         project ':clients'
      > Module 'org.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by ['at.yawk.lz4:lz4-java:1.8.1' (runtimeElements)]
   > Could not resolve at.yawk.lz4:lz4-java:1.8.1.
     Required by:
         project ':clients' > org.lz4:lz4-java:1.8.1
      > Module 'at.yawk.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by ['org.lz4:lz4-java:1.8.1' (runtime)]

[erikanderson]

Also there's still a build issue:

Could not determine the dependencies of task ':clients:shadowJar'.
> Could not resolve all dependencies for configuration ':clients:runtimeClasspath'.
   > Could not resolve org.lz4:lz4-java:1.8.1.
     Required by:
         project ':clients'
      > Module 'org.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by ['at.yawk.lz4:lz4-java:1.8.1' (runtimeElements)]
   > Could not resolve at.yawk.lz4:lz4-java:1.8.1.
     Required by:
         project ':clients' > org.lz4:lz4-java:1.8.1
      > Module 'at.yawk.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by ['org.lz4:lz4-java:1.8.1' (runtime)]

It looks like there was a recent change to discontinue https://github.com/lz4/lz4-java, in favor of community fork https://github.com/yawkat/lz4-java . I'll try updating to new GAV

[yawkat]

Maintainer here. Interesting, did you see that error when depending on org.lz4:lz4-java:1.8.1 directly, without any reference to at.yawk.lz4? Maybe there's something wrong with the gradle capability metadata

[erikanderson]

https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/record/CompressionType.java#L73-L74

Looks like max compression level is unchanged at 16+1 https://github.com/yawkat/lz4-java/blob/d9488323123899f90041187c20801deabcae1bef/src/java/net/jpountz/lz4/LZ4Constants.java#L24

[erikanderson]

Maintainer here. Interesting, did you see that error when depending on org.lz4:lz4-java:1.8.1 directly, without any reference to at.yawk.lz4? Maybe there's something wrong with the gradle capability metadata

Yeah, had to switch to your gav for it to work (I'm just a random person not affil with apache): 51c520e

[mjschwaiger]

'org.lz4:lz4-java:1.8.1

Simple example demonstrating the issue mentioned by @mimaison:

plugins {
    id 'java'
}

repositories {
    mavenCentral()
}

dependencies {
    // (1) only -> success
    // (2) only -> error, but: capability conflict not expected
    // (3) only -> success
    // (1) + (2) -> error (expected?)
    // (1) + (3) -> error (capability conflict as expected)
    // (2) + (3) -> error (capability conflict as expected)

    // implementation 'org.lz4:lz4-java:1.8.0' // (1)
    implementation 'org.lz4:lz4-java:1.8.1' // (2)
    // implementation 'at.yawk.lz4:lz4-java:1.8.1' // (3)
}

If only org.lz4:lz4-java:1.8.1 (2) is used, this unexpected build error will occur:

Could not determine the dependencies of task ':testlz4:compileJava'.
> Could not resolve all dependencies for configuration ':testlz4:compileClasspath'.
   > Could not resolve org.lz4:lz4-java:1.8.1.
     Required by:
         project :testlz4
      > Module 'org.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by [at.yawk.lz4:lz4-java:1.8.1(apiElements)]
   > Could not resolve at.yawk.lz4:lz4-java:1.8.1.
     Required by:
         project :testlz4 > org.lz4:lz4-java:1.8.1
      > Module 'at.yawk.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by [org.lz4:lz4-java:1.8.1(compile)]

There might be an issue with the capability configuration together with the relocation settings, which could be the reason for the problem.

[yawkat]

@mjschwaiger I made a test case here: https://github.com/yawkat/test-case-gradle-rename-capability

I think it's a gradle bug, I've asked on the gradle community slack about it.

[chia7712]

LGTM

[chia7712]

@mimaison do you have time to take a look at this?

[ccudennec-otto]

BTW: If the Java project is discontinued, I think it would be a good idea to get rid of the library. Not sure where I could raise this question as an issue.

[chia7712]

Not sure where I could raise this question as an issue.

I recommend KAFKA-17301 for raising this issue 😄

[mimaison]

Should we directly bump to 1.10.0?

[chia7712]

done (cd8be9e)

[mimaison]

BTW: If the Java project is discontinued, I think it would be a good idea to get rid of the library. Not sure where I could raise this question as an issue.

org.lz4:lz4-java is not maintained but at.yawk.lz4:lz4-java is a new fork that is maintained.

[DL1231]

LGTM, thanks for the patch.

[marcosflobo]

Really looking forward to this team!. We have many services using this library and the "CVE alerts" already raised.

Thanks for the great job!

[chia7712]

@erikanderson sorry for intervening on your PR, but we have two planned releases waiting for this patch 😃

[FrankYang0529]

LGTM. Thanks for the patch.

[yawkat]

I recommend you wait a few hours before merging this. Another (smaller, unrelated) CVE was found in lz4-java.

[ccudennec-otto]

If someone else runs into this coming from Spring Boot / Spring Kafka + Gradle.
I had to update doing this because Gradle gave me this warning: Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by ['org.lz4:lz4-java:1.8.1' (compile)]

    implementation 'org.lz4:lz4-java:1.8.1' // Fixes CVE-2025-12183
    modules {
        module("org.lz4:lz4-java") {
            replacedBy("at.yawk.lz4:lz4-java", "Fork of the original unmaintained lz4-java library that fixes a CVE")
        }
    }

[yawkat]

@ccudennec-otto please see this page: https://github.com/yawkat/lz4-java/wiki/Gradle-and-org.lz4:lz4%E2%80%90java:1.8.1

[apokralipsa]

The readme of the new repository and the old repository contains a message saying that this has been forked to fix a specific CVE. At the same time - the link to that CVE seems quite fishy (it's a page that kinda looks like the Sonatype page, but is hosted on sites.google.com). Are we really sure that this fork is authorized by the original authors?

Supply chain attacks like sha1-hulud are happening quite often right now.

Just asking.

[yawkat]

@apokralipsa That's only prudent. You can see that the CVE was published by sonatype if you look at the CVE feed: https://www.cvedetails.com/vulnerability-list/assigner-366/Sonatype.html

There is also a comment describing the move in the relocation pom: https://repo.maven.apache.org/maven2/org/lz4/lz4-java/1.8.1/lz4-java-1.8.1.pom

If I was malicious and had access to publish org.lz4 to maven central, I wouldn't need to move the group id in the first place, I could just continue with the old namespace. Because I do not have permission to publish org.lz4, I had to secure support from sonatype and the lz4 project to do the move.

[potorowski]

@yawkat @apokralipsa doesn't say this CVE isn't real. He has (IMO valid) concerns about the url you provided (https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183) instead of the valid one (like this: https://www.cve.org/CVERecord?id=CVE-2025-12183).

[yawkat]

Yes, I understand that, and I find it prudent that you pay attention to this. This vulnerability and fix is definitely suspicious due to the project governance changes, compared to e.g. the xz backdoor. However https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183 is a real Sonatype site, and you can see the CVE metadata is published by Sonatype in the CVE feed. I'm just providing evidence that I am honest :)

[yawkat]

CVE-2025-66566 has been published and fixed in 1.10.1. I suggest you move to that version. Though cloudflare seems to be having some trouble that breaks maven central at the moment.

[erikanderson]

CVE-2025-66566 has been published and fixed in 1.10.1. I suggest you move to that version. Though cloudflare seems to be having some trouble that breaks maven central at the moment.

@yawkat I'm not sure that is the right CVE, that one is for oat++ https://nvd.nist.gov/vuln/detail/CVE-2025-6566 . Can you link to the right CVE?

[yawkat]

66566, not 6566. It's not on nvd yet i guess

[erikanderson]

My mistake, misread the number, and when I did search for the new value it gave me the oat one.

Looks like second CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2025-66566

[apokralipsa]

In the mean time I have contacted Sonatype over email and they have confirmed that they are aware of the relocation and they have been in touch with the previous owners of lz4-java.

[ccudennec-otto]

@yawkat : Does Sonatype also need to configure relocation for 1.10.1?

I still get this error when trying to update my local (Maven) project:

Could not find artifact org.lz4:lz4-java:pom:v1.10.1 in central (https://repo1.maven.org/maven2)

In my Gradle projects I can still use the replacedBy approach described above - but this time I need to declare the dependency to at.yawk.lz4:lz4-java:1.10.1 myself.

So either Sonatype needs to support relocation or everyone needs to replace the dependency, I suppose?

(Thanks for your great work so far, by the way! 🌻 🚀 )

[yawkat]

There will be no relocation for versions past 1.8.1

[chia7712]

Dear all, is it good to go for merging? it would be cool to have your approval 😄

[mimaison]

There's still a mention of https://github.com/jpountz/lz4-java in NOTICE-binary: https://github.com/apache/kafka/blob/trunk/NOTICE-binary#L690

[mimaison]

LGTM