-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability is an out-of-bounds read in the fast decompression methods of the lz4-java library. Specifically, the implementations that use JNI (LZ4JNIFastDecompressor) and sun.misc.Unsafe (LZ4JavaUnsafeFastDecompressor) for performance are affected. These methods do not perform adequate validation on the compressed input stream, allowing a crafted payload to cause reads outside of the allocated buffer boundaries. This can result in a denial of service by crashing the application or, in some scenarios, could leak sensitive data from the process memory.
The patch addresses this vulnerability by modifying the LZ4Factory class, which is responsible for creating compressor and decompressor instances. The factory's default behavior was changed to no longer provide the vulnerable JNI and Unsafe-based fast decompressors. Instead, it now returns a slower but memory-safe pure Java implementation (LZ4JavaSafeFastDecompressor). The vulnerable, high-performance versions are still available for expert users who can ensure their input is trusted, but they must now be accessed through new, explicitly named 'insecure' methods (nativeInsecureInstance() and unsafeInsecureInstance()), which are marked as deprecated to warn of the potential danger.
net.jpountz.lz4.LZ4JNIFastDecompressor.decompresssrc/java-jni/net/jpountz/lz4/LZ4JNIFastDecompressor.java
net.jpountz.lz4.LZ4JavaUnsafeFastDecompressor.decompresssrc/java-unsafe/net/jpountz/lz4/LZ4JavaUnsafeFastDecompressor.java
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| at.yawk.lz4:lz4-java | maven | < 1.8.1 | 1.8.1 |
| org.lz4:lz4-java | maven | < 1.8.1 | 1.8.1 |
| org.lz4:lz4-pure-java | maven |
| <= 1.8.0 |
| net.jpountz.lz4:lz4 | maven | <= 1.3.0 |
Ongoing coverage of React2Shell