CVE-2025-66566 Dependency maven:org.lz4:lz4-java:1.8.0 is vulnerable

Hello team,

Here is the current tree:

```
maven:io.projectreactor.kafka:reactor-kafka:1.3.25
  maven:org.apache.kafka:kafka-clients:4.1.1
    maven:org.lz4:lz4-java:1.8.0
```

And it seems 
```
Dependency maven:org.lz4:lz4-java:1.8.0 is vulnerable



CVE-2025-66566,  Score: 7.5

yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1.

Read More: https://www.mend.io/vulnerability-database/CVE-2025-66566?utm_source=Jetbrains

Results powered by Mend.io
```

Is it possible to bump the maven:org.apache.kafka:kafka-clients: usage to the one which contains the safe maven:org.lz4:lz4-java?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2025-66566 Dependency maven:org.lz4:lz4-java:1.8.0 is vulnerable #434

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE-2025-66566 Dependency maven:org.lz4:lz4-java:1.8.0 is vulnerable #434

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions