GitHub user kontotto created a discussion: Question about handling io.airlift:aircompressor vulnerability
## Summary There is a reported security vulnerability in `io.airlift:aircompressor`, which is used as a dependency in Apache Pulsar. - CVE: https://www.cve.org/CVERecord?id=CVE-2025-67721 - Affected dependency version in Pulsar: https://github.com/apache/pulsar/blob/1fcdf8bb9a97fbc4c0db78c4aa8df2b1fae02a65/pom.xml#L263 ## Background This vulnerability appears to be fixed in `io.airlift:aircompressor` version 3.4.x and later. However, the 3.x series requires **Java 22 or later**, which may make a straightforward upgrade challenging given Apache Pulsar’s supported Java versions. On the other hand, the 0.x and 2.x series support **Java 8 and later**, which aligns better with Pulsar’s current Java compatibility policy. In addition, the maintenance activity of `io.airlift:aircompressor` seems relatively low, which raises concerns from a long-term security perspective. ## Possible Approaches >From an external user’s point of view, the following options seem possible: - Evaluate upgrading to `aircompressor` 3.x, taking the Java version requirements into account - Consider replacing `aircompressor` with an alternative library, given its maintenance status - **Apply a backport fix to the Java 8–compatible 0.x or 2.x series (the 2.x series appears to have relatively small code differences from 0.x), and then update the dependency** ## Question Could you please share the current or planned approach for handling this vulnerability in Apache Pulsar, including how the Java version requirements are being considered? GitHub link: https://github.com/apache/pulsar/discussions/25137 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
