CVE-2025-66566: LZ4 Java 1.10.0 Buffer not cleared leads to data disclosure
CVE-2025-66566 Published on December 5, 2025
yawkat LZ4 Java has a possible information leak in Java safe decompressor
yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1.
Weakness Type
Insertion of Sensitive Information Into Sent Data
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. Sensitive information could include data that is sensitive in and of itself (such as credentials or private messages), or otherwise useful in the further exploitation of the system (such as internal file system structure).
Products Associated with CVE-2025-66566
Want to know whenever a new CVE is published for Oracle? stack.watch will email you.
Affected Versions
yawkat lz4-java Version < 1.10.1 is affected by CVE-2025-66566Vulnerable Packages
The following package name and versions may be associated with CVE-2025-66566
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | at.yawk.lz4:lz4-java | <= 1.10.0 | 1.10.1 |
| maven | org.lz4:lz4-java | <= 1.8.1 | |
| maven | org.lz4:lz4-pure-java | <= 1.8.1 | |
| maven | net.jpountz.lz4:lz4 | <= 1.8.1 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.