Aircompressor's Snappy and LZ4 Java-based decompressor implementation can leak information from reused output buffer
Description
Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via crafted compressed input. With certain crafted compressed inputs, elements from the output buffer can end up in the uncompressed output, potentially leaking sensitive data. This is relevant for applications that reuse the same output buffer to uncompress multiple inputs. This can be the case of a web server that allocates a fix-sized buffer for performance purposes. There is similar vulnerability in GHSA-cmp6-m4wj-q63q. This issue is fixed in version 3.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.airlift:aircompressor-v3Maven | < 3.4 | 3.4 |
io.airlift:aircompressorMaven | < 2.0.3 | 2.0.3 |
Affected products
155- Range: 3.0, 3.1, 3.2, …
- osv-coords154 versionspkg:apk/chainguard/apache-nifipkg:apk/chainguard/apache-pulsar-4.0pkg:apk/chainguard/apache-pulsar-4.1pkg:apk/chainguard/apache-pulsar-fips-4.0pkg:apk/chainguard/apache-pulsar-fips-4.1pkg:apk/chainguard/druidpkg:apk/chainguard/geoserver-2.28pkg:apk/chainguard/geoserver-2.28-communitypkg:apk/chainguard/pinotpkg:apk/chainguard/pinot-fipspkg:apk/chainguard/spark-4.0-scala-2.13pkg:apk/chainguard/spark-4.1-scala-2.13pkg:apk/chainguard/spark-fips-4.1-scala-2.13pkg:apk/chainguard/trinopkg:apk/chainguard/trino-configpkg:apk/chainguard/trino-oci-entrypointpkg:apk/chainguard/trino-plugin-accumulopkg:apk/chainguard/trino-plugin-ai-functionspkg:apk/chainguard/trino-plugin-atoppkg:apk/chainguard/trino-plugin-bigquerypkg:apk/chainguard/trino-plugin-blackholepkg:apk/chainguard/trino-plugin-cassandrapkg:apk/chainguard/trino-plugin-clickhousepkg:apk/chainguard/trino-plugin-delta-lakepkg:apk/chainguard/trino-plugin-druidpkg:apk/chainguard/trino-plugin-duckdbpkg:apk/chainguard/trino-plugin-elasticsearchpkg:apk/chainguard/trino-plugin-example-httppkg:apk/chainguard/trino-plugin-exasolpkg:apk/chainguard/trino-plugin-exchange-filesystempkg:apk/chainguard/trino-plugin-exchange-hdfspkg:apk/chainguard/trino-plugin-fakerpkg:apk/chainguard/trino-plugin-functions-pythonpkg:apk/chainguard/trino-plugin-geospatialpkg:apk/chainguard/trino-plugin-google-sheetspkg:apk/chainguard/trino-plugin-hivepkg:apk/chainguard/trino-plugin-http-event-listenerpkg:apk/chainguard/trino-plugin-http-server-event-listenerpkg:apk/chainguard/trino-plugin-hudipkg:apk/chainguard/trino-plugin-icebergpkg:apk/chainguard/trino-plugin-ignitepkg:apk/chainguard/trino-plugin-jmxpkg:apk/chainguard/trino-plugin-kafkapkg:apk/chainguard/trino-plugin-kafka-event-listenerpkg:apk/chainguard/trino-plugin-kinesispkg:apk/chainguard/trino-plugin-kudupkg:apk/chainguard/trino-plugin-lakehousepkg:apk/chainguard/trino-plugin-ldap-group-providerpkg:apk/chainguard/trino-plugin-local-filepkg:apk/chainguard/trino-plugin-lokipkg:apk/chainguard/trino-plugin-mariadbpkg:apk/chainguard/trino-plugin-memorypkg:apk/chainguard/trino-plugin-mlpkg:apk/chainguard/trino-plugin-mongodbpkg:apk/chainguard/trino-plugin-mysqlpkg:apk/chainguard/trino-plugin-mysql-event-listenerpkg:apk/chainguard/trino-plugin-opapkg:apk/chainguard/trino-plugin-openlineagepkg:apk/chainguard/trino-plugin-opensearchpkg:apk/chainguard/trino-plugin-oraclepkg:apk/chainguard/trino-plugin-password-authenticatorspkg:apk/chainguard/trino-plugin-phoenix5pkg:apk/chainguard/trino-plugin-pinotpkg:apk/chainguard/trino-plugin-postgresqlpkg:apk/chainguard/trino-plugin-prometheuspkg:apk/chainguard/trino-plugin-rangerpkg:apk/chainguard/trino-plugin-raptor-legacypkg:apk/chainguard/trino-plugin-redispkg:apk/chainguard/trino-plugin-redshiftpkg:apk/chainguard/trino-plugin-resource-group-managerspkg:apk/chainguard/trino-plugin-session-property-managerspkg:apk/chainguard/trino-plugin-singlestorepkg:apk/chainguard/trino-plugin-snowflakepkg:apk/chainguard/trino-plugin-spooling-filesystempkg:apk/chainguard/trino-plugin-sqlserverpkg:apk/chainguard/trino-plugin-teradata-functionspkg:apk/chainguard/trino-plugin-thriftpkg:apk/chainguard/trino-plugin-tpcdspkg:apk/chainguard/trino-plugin-tpchpkg:apk/chainguard/trino-plugin-verticapkg:apk/wolfi/apache-nifipkg:apk/wolfi/apache-pulsar-4.1pkg:apk/wolfi/druidpkg:apk/wolfi/spark-4.0-scala-2.13pkg:apk/wolfi/spark-4.1-scala-2.13pkg:apk/wolfi/trinopkg:apk/wolfi/trino-configpkg:apk/wolfi/trino-oci-entrypointpkg:apk/wolfi/trino-plugin-accumulopkg:apk/wolfi/trino-plugin-ai-functionspkg:apk/wolfi/trino-plugin-atoppkg:apk/wolfi/trino-plugin-bigquerypkg:apk/wolfi/trino-plugin-blackholepkg:apk/wolfi/trino-plugin-cassandrapkg:apk/wolfi/trino-plugin-clickhousepkg:apk/wolfi/trino-plugin-delta-lakepkg:apk/wolfi/trino-plugin-druidpkg:apk/wolfi/trino-plugin-duckdbpkg:apk/wolfi/trino-plugin-elasticsearchpkg:apk/wolfi/trino-plugin-example-httppkg:apk/wolfi/trino-plugin-exasolpkg:apk/wolfi/trino-plugin-exchange-filesystempkg:apk/wolfi/trino-plugin-exchange-hdfspkg:apk/wolfi/trino-plugin-fakerpkg:apk/wolfi/trino-plugin-functions-pythonpkg:apk/wolfi/trino-plugin-geospatialpkg:apk/wolfi/trino-plugin-google-sheetspkg:apk/wolfi/trino-plugin-hivepkg:apk/wolfi/trino-plugin-http-event-listenerpkg:apk/wolfi/trino-plugin-http-server-event-listenerpkg:apk/wolfi/trino-plugin-hudipkg:apk/wolfi/trino-plugin-icebergpkg:apk/wolfi/trino-plugin-ignitepkg:apk/wolfi/trino-plugin-jmxpkg:apk/wolfi/trino-plugin-kafkapkg:apk/wolfi/trino-plugin-kafka-event-listenerpkg:apk/wolfi/trino-plugin-kinesispkg:apk/wolfi/trino-plugin-kudupkg:apk/wolfi/trino-plugin-lakehousepkg:apk/wolfi/trino-plugin-ldap-group-providerpkg:apk/wolfi/trino-plugin-local-filepkg:apk/wolfi/trino-plugin-lokipkg:apk/wolfi/trino-plugin-mariadbpkg:apk/wolfi/trino-plugin-memorypkg:apk/wolfi/trino-plugin-mlpkg:apk/wolfi/trino-plugin-mongodbpkg:apk/wolfi/trino-plugin-mysqlpkg:apk/wolfi/trino-plugin-mysql-event-listenerpkg:apk/wolfi/trino-plugin-opapkg:apk/wolfi/trino-plugin-openlineagepkg:apk/wolfi/trino-plugin-opensearchpkg:apk/wolfi/trino-plugin-oraclepkg:apk/wolfi/trino-plugin-password-authenticatorspkg:apk/wolfi/trino-plugin-phoenix5pkg:apk/wolfi/trino-plugin-pinotpkg:apk/wolfi/trino-plugin-postgresqlpkg:apk/wolfi/trino-plugin-prometheuspkg:apk/wolfi/trino-plugin-rangerpkg:apk/wolfi/trino-plugin-raptor-legacypkg:apk/wolfi/trino-plugin-redispkg:apk/wolfi/trino-plugin-redshiftpkg:apk/wolfi/trino-plugin-resource-group-managerspkg:apk/wolfi/trino-plugin-session-property-managerspkg:apk/wolfi/trino-plugin-singlestorepkg:apk/wolfi/trino-plugin-snowflakepkg:apk/wolfi/trino-plugin-spooling-filesystempkg:apk/wolfi/trino-plugin-sqlserverpkg:apk/wolfi/trino-plugin-teradata-functionspkg:apk/wolfi/trino-plugin-thriftpkg:apk/wolfi/trino-plugin-tpcdspkg:apk/wolfi/trino-plugin-tpchpkg:apk/wolfi/trino-plugin-verticapkg:maven/io.airlift/aircompressorpkg:maven/io.airlift/aircompressor-v3
< 2.10.0-r0+ 153 more
- (no CPE)range: < 2.10.0-r0
- (no CPE)range: < 4.0.9-r2
- (no CPE)range: < 4.1.3-r2
- (no CPE)range: < 4.0.9-r1
- (no CPE)range: < 4.1.3-r1
- (no CPE)range: < 36.0.0-r10
- (no CPE)range: < 2.28.2-r1
- (no CPE)range: < 2.28.2-r1
- (no CPE)range: < 1.5.0-r0
- (no CPE)range: < 1.4.0-r2
- (no CPE)range: < 4.0.3-r0
- (no CPE)range: < 4.1.2-r0
- (no CPE)range: < 4.1.2-r0
- (no CPE)range: < 479-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 479-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 479-r4
- (no CPE)range: < 479-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 479-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 479-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 2.10.0-r0
- (no CPE)range: < 4.1.3-r2
- (no CPE)range: < 36.0.0-r10
- (no CPE)range: < 4.0.3-r0
- (no CPE)range: < 4.1.2-r0
- (no CPE)range: < 479-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 479-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 479-r4
- (no CPE)range: < 479-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 479-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 479-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 478-r4
- (no CPE)range: < 2.0.3
- (no CPE)range: < 3.4
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-vx9q-rhv9-3jvgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67721ghsaADVISORY
- github.com/airlift/aircompressor/commit/f2b489b398779b40c1ee29ddb11d7edef54ddc15ghsax_refsource_MISCWEB
- github.com/airlift/aircompressor/commit/ff12c4d5757c9d6d1de3d39a10402f1f84f9b765ghsax_refsource_MISCWEB
- github.com/airlift/aircompressor/pull/309ghsaWEB
- github.com/airlift/aircompressor/releases/tag/2.0.3ghsaWEB
- github.com/airlift/aircompressor/security/advisories/GHSA-vx9q-rhv9-3jvgghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.