CVE-2025-66566
Description
yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1.
Risk Information
Base Score
7.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
0.068
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Multiple Vulnerabilities are affected in IBM App Connect Enterprise 12.0.12.23 | Windows |
| Vulnerabilities CVE-2025-12183,CVE-2025-66566,CVE-2025-68161 are affected in IBM App Connect Enterprise 13.0.6.2 | Windows |
| Multiple Vulnerabilities are affected in IBM App Connect Enterprise 13.0.6.2 | Windows |
| Vulnerabilities CVE-2025-66566 are fixed in Yawk - lz4-java 1.10.1 | Windows |
| Vulnerabilities CVE-2025-66566 are affected in Jpountz - lz4 1.8.1 | Windows |
| Vulnerabilities CVE-2025-66566 are affected in Lz4 - lz4-java 1.8.1 | Windows |
| Vulnerabilities CVE-2025-66566 are affected in Lz4 - lz4-pure-java 1.8.1 | Windows |
| Vulnerabilities CVE-2025-66566 are fixed in Yawk - lz4-java for Linux 1.10.1 | Linux |
| Vulnerabilities CVE-2025-66566 are affected in Jpountz - lz4 for Linux 1.8.1 | Linux |
| Vulnerabilities CVE-2025-66566 are affected in Lz4 - lz4-java for Linux 1.8.1 | Linux |
| Vulnerabilities CVE-2025-66566 are affected in Lz4 - lz4-pure-java for Linux 1.8.1 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234