From 360b52868fd5d294b218a145fc44be6e08d4338d Mon Sep 17 00:00:00 2001 From: DibyojyotiS Date: Wed, 10 Dec 2025 17:21:43 +0530 Subject: [PATCH 1/3] Chore: Add constraint on Lz4-java dependency due to critical CVE-2025-12183 --- kafka-bom/build.gradle.kts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kafka-bom/build.gradle.kts b/kafka-bom/build.gradle.kts index 3823271..da8deda 100644 --- a/kafka-bom/build.gradle.kts +++ b/kafka-bom/build.gradle.kts @@ -25,7 +25,10 @@ dependencies { api("org.apache.commons:commons-lang3:3.18.0") { because("CVE-2025-48924 is fixed in 3.18.0") } - + api("org.lz4:lz4-java:1.8.1") { + because("[https://nvd.nist.gov/vuln/detail/CVE-2025-12183] in org.lz4:lz4-java:1.8.0") + because("CVE-2025-12183 is fixed in 1.8.1") + } api("io.confluent:kafka-streams-avro-serde:$confluentVersion") api("io.confluent:kafka-protobuf-serializer:$confluentVersion") From 78aef6a6ce56b67d357c71815a9de7395d7bd832 Mon Sep 17 00:00:00 2001 From: DibyojyotiS Date: Thu, 11 Dec 2025 13:32:12 +0530 Subject: [PATCH 2/3] address gradle's conflict due to org.lz4:lz4-java:1.8.1 being pointed to at.yawk.lz4:lz4-java:1.8.1 --- build.gradle.kts | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/build.gradle.kts b/build.gradle.kts index 5df088b..2dd592c 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -27,6 +27,16 @@ subprojects { apply(plugin = "org.hypertrace.code-style-plugin") } } + + // Handle lz4-java redirect capability conflict: + // Sonatype added a redirect from org.lz4:lz4-java:1.8.1 -> at.yawk.lz4:lz4-java:1.8.1 to address CVE-2025-12183. + // Both artifacts declare the same capability, causing a conflict when upgrading from Kafka's org.lz4:lz4-java:1.8.0. + // This resolution strategy tells Gradle to automatically select the highest version when this conflict occurs. + configurations.all { + resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") { + selectHighestVersion() + } + } } dependencyCheck { From 0ce73d4ec9c84e549bb119d9d121d0942961e85b Mon Sep 17 00:00:00 2001 From: DibyojyotiS Date: Thu, 11 Dec 2025 13:34:40 +0530 Subject: [PATCH 3/3] removed selectHighestVersion and made it more specific for 1.8.1 version --- build.gradle.kts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/build.gradle.kts b/build.gradle.kts index 2dd592c..5013857 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -34,7 +34,8 @@ subprojects { // This resolution strategy tells Gradle to automatically select the highest version when this conflict occurs. configurations.all { resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") { - selectHighestVersion() + select("at.yawk.lz4:lz4-java:1.8.1") + because("Both org.lz4 and at.yawk.lz4 provide lz4-java due to Sonatype redirect") } } }