RE: Latest version of kafka-clients has CVE on maven repo

Thu, 04 Dec 2025 23:25:13 -0800 

Hi Chia-Ping,
I noticed one more CVE today in library 'lz4-java'. Fixed version is 1.8.1, 
current is 1.8.0. Kindly take care of it. Below is the CVE details.

{
          "VulnerabilityID": "CVE-2025-12183",
          "PkgName": "org.lz4:lz4-java",
          "PkgIdentifier": {
            "PURL": "pkg:maven/org.lz4/[email protected]"
          },
          "InstalledVersion": "1.8.0",
          "FixedVersion": "1.8.1",
          "Status": "fixed",
          "Layer": {
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-12183";,
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory Maven",
            "URL": 
"https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven";
          },
          "Title": "LZ4 Java Compression has Out-of-bounds memory operations 
which can cause DoS",
          "Description": "Out-of-bounds memory operations in org.lz4:lz4-java 
1.8.0 and earlier allow remote attackers to cause denial of service and read 
adjacent memory via untrusted compressed input.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-125"
          ],
          "VendorSeverity": {
            "ghsa": 3
          },
          "References": [
            "http://www.openwall.com/lists/oss-security/2025/12/01/5";,
            "https://github.com/yawkat/lz4-java";,
            "https://github.com/yawkat/lz4-java/releases/tag/v1.8.1";,
            "https://nvd.nist.gov/vuln/detail/CVE-2025-12183";,
            
"https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183";
          ],
          "PublishedDate": "2025-11-28T16:15:51.823Z",
          "LastModifiedDate": "2025-12-01T21:15:49.8Z"
        }
      ]
    }

Thanks.
Brundha S V

-----Original Message-----
From: V, Brundha via dev <[email protected]> 
Sent: 05 December 2025 09:33
To: Chia-Ping Tsai <[email protected]>
Cc: [email protected]; V, Brundha <[email protected]>
Subject: Re: Latest version of kafka-clients has CVE on maven repo

Hi Chia-Ping,
Ok then I will watch out for 4.2.0 release. Thanks for confirmation.

Thanks.
Brundha S V
________________________________
From: Chia-Ping Tsai <[email protected]>
Sent: Friday, December 5, 2025 5:41:39 AM
To: V, Brundha <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: Latest version of kafka-clients has CVE on maven repo

hi

Have you considered updating to 4.2.0? We will be releasing 4.2.0 soon, and we 
don’t currently have a plan for patch release of 4.0/4.1

Chia-Ping Tsai <[email protected]> 於 2025年12月4日 晚上8:29 寫道:


The update of `commons-validator` is solely included by 4.2.0. I can backport 
the update to 4.0 and 4.1, and you could forces a dependency update in your 
environment

V, Brundha <[email protected]<mailto:[email protected]>> 
於 2025年12月4日週四 下午6:17寫道:

Hi Chia-Ping,

What about kafka_2.13? With 4.1.1 version, I still see that commons-beanutils 
is in 1.9.0 version; link here 
https://urldefense.com/v3/__https://central.sonatype.com/artifact/org.apache.kafka/kafka_2.13/dependencies__;!!NpxR!m-tqCierYYHadAC4n16IcbX7WNWEN0yNmOebEKRa2gZHEEh2YSmnwmyewUBgsHAJCdxeUx1x79EdwP54TTzAFDg$
 
<https://urldefense.com/v3/__https://central.sonatype.com/artifact/org.apache.kafka/kafka_2.13/dependencies__;!!NpxR!kSN4WtMFo5RgHLZZbTk9Fsqa4u4bJOEk-ovjcUrJYP1YeVeI2wy04dj_x8k2A6vTlEB-WGBDzjo1Lv1SI9ssfYI$>



In my code I am using spring-boot-starter-kafka-test:jar:4.0.0 which is using 
this kafka_2.13. Below is my dependency tree:
+- org.springframework.boot:spring-boot-starter-kafka-test:jar:4.0.0:compile

[INFO] |  \- org.springframework.kafka:spring-kafka-test:jar:4.0.0:compile

[INFO] |     .

                     .

                     .

[INFO] |     +- org.apache.kafka:kafka-test-common-runtime:jar:4.1.1:compile

[INFO] |     |  +- org.apache.kafka:kafka_2.13:jar:4.1.1:compile

[INFO] |     |  |  +- org.scala-lang:scala-library:jar:2.13.16:compile

[INFO] |     |  |  +- org.apache.kafka:kafka-tools-api:jar:4.1.1:runtime

[INFO] |     |  |  +- net.sourceforge.argparse4j:argparse4j:jar:0.7.0:runtime

[INFO] |     |  |  +- commons-validator:commons-validator:jar:1.9.0:runtime

[INFO] |     |  |  |  +- commons-beanutils:commons-beanutils:jar:1.9.4:runtime

[INFO] |     |  |  |  +- commons-digester:commons-digester:jar:2.1:runtime

[INFO] |     |  |  |  \- 
commons-collections:commons-collections:jar:3.2.2:runtime



Thanks.

Brundha S V



From: Chia-Ping Tsai <[email protected]<mailto:[email protected]>>
Sent: 04 December 2025 15:12
To: [email protected]<mailto:[email protected]>
Cc: V, Brundha 
<[email protected]<mailto:[email protected]>>
Subject: Re: Latest version of kafka-clients has CVE on maven repo



hi



kafka-clients:4.1.1 has updated the commons-beanutils dependency to 1.11.0 (see 
https://github.com/apache/kafka/commit/ddc30477a99c06d1c91f53bbf1230d32fadb98d5 
), and this change should already resolve the related CVE



Best,

Chia-Ping



V, Brundha via dev <[email protected]<mailto:[email protected]>> 於 
2025年12月4日週四 下午5:10寫道:

Hi,

Latest version of kafka-clients:4.1.1 has CVE related to ‘commons-beanutils’. I 
see that parent package ‘commons-validator’ is already upgraded in code but I 
don’t see any releases having this upgraded version on maven repository. Kindly 
make the version available as soon as possible on maven as this CVE is under 
HIGH category.



Thanks.

Brundha S V

Reply via email to