[jira] [Resolved] (KAFKA-20054) Critical Security Vulnerability reported for the dependency lz4-java-1.8.0 jar used in Kafka-clients

Chia-Ping Tsai (Jira) Fri, 09 Jan 2026 04:07:31 -0800


     [ 
https://issues.apache.org/jira/browse/KAFKA-20054?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Chia-Ping Tsai resolved KAFKA-20054.
------------------------------------
    Resolution: Duplicate

> Critical Security Vulnerability reported for the dependency lz4-java-1.8.0 
> jar used in Kafka-clients
> ----------------------------------------------------------------------------------------------------
>
>                 Key: KAFKA-20054
>                 URL: https://issues.apache.org/jira/browse/KAFKA-20054
>             Project: Kafka
>          Issue Type: Bug
>            Reporter: Ashokkumar
>            Priority: Major
>
> Hello Team,
> There is a Critical Security Vulnerability reported for the dependency 
> lz4-java-1.8.0 jar used in Kafka-clients project 
> [CVE-2025-66566](https://www.cve.org/CVERecord?id=CVE-2025-66566)
> [CVE-2025-12183](https://www.cve.org/CVERecord?id=CVE-2025-12183)
> As the lz4 code is now moved to a new package structure and also the latest 
> code base of Kafka-clients is already using it, is there a date where we can 
> get an updated jar into Maven which will incorporate this fix ?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Resolved] (KAFKA-20054) Critical Security Vulnerability reported for the dependency lz4-java-1.8.0 jar used in Kafka-clients

Reply via email to