Find, fix and prevent vulnerabilities in your code.
high severity
- Vulnerable module: org.lz4:lz4-java
- Introduced through: org.lz4:lz4-java@1.8.1
Detailed paths
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer#f2b1f4e85f5b08b4be35b06236e3f16f80b96ca1 › org.lz4:lz4-java@1.8.1
Overview
org.lz4:lz4-java is a Java port of the LZ4 compression algorithm and the xxHash hashing algorithm.
Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the decompression process when the output buffer is reused without being cleared. An attacker can access sensitive information from previous buffer contents by providing crafted compressed input.
Note:
- JNI implementations are not vulnerable.
LZ4Factory.safeInstance(),LZ4Factory.unsafeInstance(), andLZ4Factory.fastestJavaInstance()are all vulnerable.nativeInstance().fastDecompressor()is vulnerable butnativeInstance().safeDecompressor()is not.- This vulnerability is distinct from the one described in CVE-2025-12183, and was discovered during follow-up research.
Workaround
This vulnerability can be mitigated by zeroing the output buffer before passing it to the decompression function.
Remediation
There is no fixed version for org.lz4:lz4-java.
References
medium severity
- Module: ch.qos.logback:logback-classic
- Introduced through: ch.qos.logback:logback-classic@1.5.32
Detailed paths
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer#f2b1f4e85f5b08b4be35b06236e3f16f80b96ca1 › ch.qos.logback:logback-classic@1.5.32
Dual license: EPL-1.0, LGPL-2.1
medium severity
- Module: ch.qos.logback:logback-core
- Introduced through: ch.qos.logback:logback-classic@1.5.32
Detailed paths
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer#f2b1f4e85f5b08b4be35b06236e3f16f80b96ca1 › ch.qos.logback:logback-classic@1.5.32 › ch.qos.logback:logback-core@1.5.32
Dual license: EPL-1.0, LGPL-2.1