Discontinued Library: High-Severity lz4-java Flaw (CVE‐2025‐12183) Forces Immediate Migration to Community Fork
Ddos 
A high-severity vulnerability, tracked as CVE‐2025‐12183, has been disclosed in the popular lz4-java compression library, exposing applications to potential Denial of Service (DoS) attacks and sensitive information disclosure. The flaw, categorized as an “Out-of-bounds Read” (CWE-125), stems from insufficient memory access guards within the library’s compression and decompression implementations.
With a CVSS score of 8.8, the issue is particularly critical because the original project has been discontinued, forcing the community to migrate to a new fork for security patches.
The lz4-java library provides a matrix of algorithms for compression, including JNI-based (native) and pure Java implementations. The vulnerability affects specific high-performance modes that process untrusted input without verifying memory boundaries.
The “fast” decompressor in the JNI implementation relies on the LZ4_decompress_fast API from the underlying C library. This specific function is deprecated precisely because it lacks bounds checks, making it insecure when handling untrusted input.
The Java-based implementations that utilize the sun.misc.Unsafe API also lack sufficient bounds checks. Exploiting this can lead to memory leakage (information disclosure) or application crashes (DoS).
Standard Java implementations (those not using Unsafe) are not considered vulnerable in this context, as they merely trigger an ArrayIndexOutOfBoundsException rather than leaking memory or crashing the JVM.
The vulnerability impacts specific Maven coordinates up to and including version 1.8.0. Security teams should scan for the following artifacts:
- org.lz4:lz4-java (≤ 1.8.0)
- org.lz4:lz4-pure-java (≤ 1.8.0)
- net.jpountz.lz4:lz4 (≤ 1.8.0)
Because the original maintainer of the lz4-java library is unavailable, the organization has officially discontinued the project. To address this security gap, a community-maintained fork has been established.
Immediate Actions for Developers:
Migrate to the Fork: Users should upgrade to the new artifacts published under the group ID at.yawk.lz4.
- Version 1.8.1: Implements the minimum necessary security fixes. It replaces the JNI “fast” decompressor and Unsafe-based components with their safe counterparts.
- Version 1.9.0: Includes a reworked build system and additional non-security updates.
A relocation POM has been provided for org.lz4:lz4-java:1.8.1, which will automatically point users to the new at.yawk.lz4 artifact while issuing a warning to update coordinates.
Temporary Workarounds: If immediate migration is not possible, developers can resolve the vulnerability without patching by changing their code implementation:
- Switch from fastDecompressor() or fastestInstance() to safeInstance() or safeDecompressor().
- The safeDecompressor() is not vulnerable and, despite its name, provides better performance in the long term.
Donate