lz4-java v1.8.1
Note: This release is still vulnerable to CVE-2025-66566 which was discovered later. Please upgrade to at.yawk.lz4:lz4-java:1.10.1.
Minimal patch to resolve CVE‐2025‐12183:
LZ4Factory.nativeInstance().fastDecompressor()returns the safe Java implementation insteadLZ4Factory.unsafeInstance()returns the safe Java implementation insteadLZ4Factory.unsafeInsecureInstance()andLZ4Factory.nativeInsecureInstance()are added to provide access to insecure but faster implementations.
User code does not need to be changed for this patch to be effective.
The full diffoscope output can be found here.
org.lz4:lz4-java:1.8.1 is a relocation pom that "redirects" to the new artifact at.yawk.lz4:lz4-java:1.8.1. To avoid issues with gradle, please use only the latter group ID.