A high-severity flaw in lz4-java, tracked as CVE-2025-66566, allows a Java decompressor to read uninitialized output-buffer memory, potentially exposing sensitive data from previous operations. The advisory notes that the risk arises from insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier, with a CVSS of 8.2.
The vulnerability affects pure Java implementations, including LZ4Factory[.]safeInstance() and LZ4Factory[.]unsafeInstance(), and can also affect the fastest and fastest-decompressor pathways where native fallback is not used; however, JNI-based implementations are not affected. A patch has been released: Iz4-java 1.10.1 fixes this issue without requiring changes in user code; if upgrading is not possible, the advisory suggests zeroing the output buffer before passing it to the decompression function. Developers should review their use of LZ4Factory[.]fastestInstance() and related methods to determine potential exposure.