[jira] [Commented] (KAFKA-20054) Critical Security Vulnerability reported for the dependency lz4-java-1.8.0 jar used in Kafka-clients

Chia-Ping Tsai (Jira) Fri, 09 Jan 2026 03:45:10 -0800


    [ 
https://issues.apache.org/jira/browse/KAFKA-20054?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18050834#comment-18050834
 ]


Chia-Ping Tsai commented on KAFKA-20054:
----------------------------------------

KAFKA-19951 has upgraded the lz4, so the CVE will be resolved in the upcoming 
release (4.2.0 and 3.9.2) 

> Critical Security Vulnerability reported for the dependency lz4-java-1.8.0 
> jar used in Kafka-clients
> ----------------------------------------------------------------------------------------------------
>
>                 Key: KAFKA-20054
>                 URL: https://issues.apache.org/jira/browse/KAFKA-20054
>             Project: Kafka
>          Issue Type: Bug
>            Reporter: Ashokkumar
>            Priority: Major
>
> Hello Team,
> There is a Critical Security Vulnerability reported for the dependency 
> lz4-java-1.8.0 jar used in Kafka-clients project 
> [CVE-2025-66566](https://www.cve.org/CVERecord?id=CVE-2025-66566)
> [CVE-2025-12183](https://www.cve.org/CVERecord?id=CVE-2025-12183)
> As the lz4 code is now moved to a new package structure and also the latest 
> code base of Kafka-clients is already using it, is there a date where we can 
> get an updated jar into Maven which will incorporate this fix ?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (KAFKA-20054) Critical Security Vulnerability reported for the dependency lz4-java-1.8.0 jar used in Kafka-clients

Reply via email to