Re: CVE package lz4-java-1.8.0.jar

Tue, 02 Dec 2025 00:39:52 -0800 

Hi,
These are constants from commons-compress. LZ4_BLOCK is "x-lz4-block". LZ4_FRAMED is "x-lz4". I looked here whether commons-compress uses lz4-java: 

https://mvnrepository.com/artifact/org.apache.commons/commons-compress/1.28.0

and no, it doesn't. I don't understand why tika is flagged by your tool.

See also this:
https://github.com/ClickHouse/clickhouse-java/issues/2437
"Replace unmaintained lz4-java with Apache Commons Compress LZ4"

Tilman

Am 02.12.2025 um 07:07 schrieb Saravanan Balakrishnan:

Hi Tika Team,

We have come across CVE -2025-12183 vulnerability in Tika 2.9.5 
snapshot build, when I check the POM file for the package 
lz4-java-1.8.0.jar or similar but I don't see reference in POM file, 
but I have seen the reference in the tika code,
/tika-parsers/tika-parsers-standard/tika-parsers-standard-modules/tika-parser-pkg-module/src/main/java/org/apache/tika/parser/pkg/CompressorParser.java:import 
static org.apache.tika.detect.zip.CompressorConstants.*LZ4_BLOCK*;/
/tika-parsers/tika-parsers-standard/tika-parsers-standard-modules/tika-parser-pkg-module/src/main/java/org/apache/tika/parser/pkg/CompressorParser.java:import 
static org.apache.tika.detect.zip.CompressorConstants.*LZ4_FRAMED*;/
/tika-parsers/tika-parsers-standard/tika-parsers-standard-modules/tika-parser-pkg-module/src/main/java/org/apache/tika/parser/pkg/*CompressorParser.java*: 
               .set(BZIP, BZIP2, DEFLATE64, GZIP, GZIP_ALT, 
*LZ4_FRAMED*, COMPRESS, XZ, PACK,/
/tika-parsers/tika-parsers-standard/tika-parsers-standard-modules/tika-parser-pkg-module/src/main/java/org/apache/tika/parser/pkg/CompressorParser.java: 
       tmpMimesToName.put(LZ4_FRAMED.toString(), 
CompressorStreamFactory.LZ4_FRAMED);/

NIST CVE description:

https://nvd.nist.gov/vuln/detail/CVE-2025-12183 
<https://nvd.nist.gov/vuln/detail/CVE-2025-12183>


*Description*


Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier 
allow remote attackers to cause denial of service and read adjacent 
memory via untrusted compressed input.



Kindly provide is this package lz4-java has vulnerability with Tika 
2.9.5 Snapshot build.


Thanks in advance.

Regards,

Saravanan B























					Reply via email to