CVE package lz4-java-1.8.0.jar

[Saravanan Balakrishnan]

Hi Tika Team,

We have come across CVE -2025-12183 vulnerability in Tika 2.9.5 snapshot build, when I check the POM file for the package lz4-java-1.8.0.jar or similar but I don't see reference in POM file, but I have seen the reference in the tika code, 

tika-parsers/tika-parsers-standard/tika-parsers-standard-modules/tika-parser-pkg-module/src/main/java/org/apache/tika/parser/pkg/CompressorParser.java:import static org.apache.tika.detect.zip.CompressorConstants.LZ4_BLOCK;
tika-parsers/tika-parsers-standard/tika-parsers-standard-modules/tika-parser-pkg-module/src/main/java/org/apache/tika/parser/pkg/CompressorParser.java:import static org.apache.tika.detect.zip.CompressorConstants.LZ4_FRAMED;
tika-parsers/tika-parsers-standard/tika-parsers-standard-modules/tika-parser-pkg-module/src/main/java/org/apache/tika/parser/pkg/CompressorParser.java:                .set(BZIP, BZIP2, DEFLATE64, GZIP, GZIP_ALT, LZ4_FRAMED, COMPRESS, XZ, PACK,
tika-parsers/tika-parsers-standard/tika-parsers-standard-modules/tika-parser-pkg-module/src/main/java/org/apache/tika/parser/pkg/CompressorParser.java:        tmpMimesToName.put(LZ4_FRAMED.toString(), CompressorStreamFactory.LZ4_FRAMED);

 

NIST CVE description:
https://nvd.nist.gov/vuln/detail/CVE-2025-12183

Description

Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input.

 

Kindly provide is this package lz4-java has vulnerability with Tika 2.9.5 Snapshot build. 

Thanks in advance.

 

Regards,

Saravanan B