KAFKA-19951: Update lz4 dependency version for CVE-2025-12183 & CVE-2025-66566

[erikanderson]

Updated lz4 dependency version from 1.8.0 to 1.10.1

CVE-2025-12183

https://nvd.nist.gov/vuln/detail/CVE-2025-12183

CVE-2025-66566

https://nvd.nist.gov/vuln/detail/CVE-2025-66566

Releases

https://github.com/yawkat/lz4-java/releases/tag/v1.8.1
https://github.com/yawkat/lz4-java/releases/tag/v1.10.0
https://github.com/yawkat/lz4-java/releases/tag/v1.10.1

Reviewers: Gaurav Narula gaurav_narula2@apple.com, Lan Ding
isDing_L@163.com, Chia-Ping Tsai chia7712@gmail.com, Mickael Maison
mimaison@apache.org, PoAn Yang payang@apache.org

[DL1231]

Thanks for the patch. Could you also update LICENSE-binary and ensure the compression levels in org.apache.kafka.common.record.CompressionType are still valid?

[erikanderson]

@DL1231 thank you, updated license binary, do you know how org.apache.kafka.common.record.CompressionType has been confirmed in the past?

[mimaison]

I linked the PR to KAFKA-19951.

Regarding the compression level, it's explained in CompressionType: https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/record/CompressionType.java#L73-L74

[mimaison]

Also there's still a build issue:

Could not determine the dependencies of task ':clients:shadowJar'.
> Could not resolve all dependencies for configuration ':clients:runtimeClasspath'.
   > Could not resolve org.lz4:lz4-java:1.8.1.
     Required by:
         project ':clients'
      > Module 'org.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by ['at.yawk.lz4:lz4-java:1.8.1' (runtimeElements)]
   > Could not resolve at.yawk.lz4:lz4-java:1.8.1.
     Required by:
         project ':clients' > org.lz4:lz4-java:1.8.1
      > Module 'at.yawk.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by ['org.lz4:lz4-java:1.8.1' (runtime)]

[erikanderson]

Also there's still a build issue:

Could not determine the dependencies of task ':clients:shadowJar'.
> Could not resolve all dependencies for configuration ':clients:runtimeClasspath'.
   > Could not resolve org.lz4:lz4-java:1.8.1.
     Required by:
         project ':clients'
      > Module 'org.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by ['at.yawk.lz4:lz4-java:1.8.1' (runtimeElements)]
   > Could not resolve at.yawk.lz4:lz4-java:1.8.1.
     Required by:
         project ':clients' > org.lz4:lz4-java:1.8.1
      > Module 'at.yawk.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by ['org.lz4:lz4-java:1.8.1' (runtime)]

It looks like there was a recent change to discontinue https://github.com/lz4/lz4-java, in favor of community fork https://github.com/yawkat/lz4-java . I'll try updating to new GAV

[yawkat]

Maintainer here. Interesting, did you see that error when depending on org.lz4:lz4-java:1.8.1 directly, without any reference to at.yawk.lz4? Maybe there's something wrong with the gradle capability metadata

[erikanderson]

https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/record/CompressionType.java#L73-L74

Looks like max compression level is unchanged at 16+1 https://github.com/yawkat/lz4-java/blob/d9488323123899f90041187c20801deabcae1bef/src/java/net/jpountz/lz4/LZ4Constants.java#L24

[erikanderson]

Maintainer here. Interesting, did you see that error when depending on org.lz4:lz4-java:1.8.1 directly, without any reference to at.yawk.lz4? Maybe there's something wrong with the gradle capability metadata

Yeah, had to switch to your gav for it to work (I'm just a random person not affil with apache): 51c520e

[mjschwaiger]

'org.lz4:lz4-java:1.8.1

Simple example demonstrating the issue mentioned by @mimaison:

plugins {
    id 'java'
}

repositories {
    mavenCentral()
}

dependencies {
    // (1) only -> success
    // (2) only -> error, but: capability conflict not expected
    // (3) only -> success
    // (1) + (2) -> error (expected?)
    // (1) + (3) -> error (capability conflict as expected)
    // (2) + (3) -> error (capability conflict as expected)

    // implementation 'org.lz4:lz4-java:1.8.0' // (1)
    implementation 'org.lz4:lz4-java:1.8.1' // (2)
    // implementation 'at.yawk.lz4:lz4-java:1.8.1' // (3)
}

If only org.lz4:lz4-java:1.8.1 (2) is used, this unexpected build error will occur:

Could not determine the dependencies of task ':testlz4:compileJava'.
> Could not resolve all dependencies for configuration ':testlz4:compileClasspath'.
   > Could not resolve org.lz4:lz4-java:1.8.1.
     Required by:
         project :testlz4
      > Module 'org.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by [at.yawk.lz4:lz4-java:1.8.1(apiElements)]
   > Could not resolve at.yawk.lz4:lz4-java:1.8.1.
     Required by:
         project :testlz4 > org.lz4:lz4-java:1.8.1
      > Module 'at.yawk.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by [org.lz4:lz4-java:1.8.1(compile)]

There might be an issue with the capability configuration together with the relocation settings, which could be the reason for the problem.

[yawkat]

@mjschwaiger I made a test case here: https://github.com/yawkat/test-case-gradle-rename-capability

I think it's a gradle bug, I've asked on the gradle community slack about it.

[chia7712]

LGTM

[chia7712]

@mimaison do you have time to take a look at this?

[ccudennec-otto]

BTW: If the Java project is discontinued, I think it would be a good idea to get rid of the library. Not sure where I could raise this question as an issue.

[chia7712]

Not sure where I could raise this question as an issue.

I recommend KAFKA-17301 for raising this issue 😄

[mimaison]

Should we directly bump to 1.10.0?

[chia7712]

done (cd8be9e)

[erikanderson]

CVE-2025-66566 has been published and fixed in 1.10.1. I suggest you move to that version. Though cloudflare seems to be having some trouble that breaks maven central at the moment.

@yawkat I'm not sure that is the right CVE, that one is for oat++ https://nvd.nist.gov/vuln/detail/CVE-2025-6566 . Can you link to the right CVE?

[yawkat]

66566, not 6566. It's not on nvd yet i guess

[erikanderson]

My mistake, misread the number, and when I did search for the new value it gave me the oat one.

Looks like second CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2025-66566

[apokralipsa]

In the mean time I have contacted Sonatype over email and they have confirmed that they are aware of the relocation and they have been in touch with the previous owners of lz4-java.

[ccudennec-otto]

@yawkat : Does Sonatype also need to configure relocation for 1.10.1?

I still get this error when trying to update my local (Maven) project:

Could not find artifact org.lz4:lz4-java:pom:v1.10.1 in central (https://repo1.maven.org/maven2)

In my Gradle projects I can still use the replacedBy approach described above - but this time I need to declare the dependency to at.yawk.lz4:lz4-java:1.10.1 myself.

So either Sonatype needs to support relocation or everyone needs to replace the dependency, I suppose?

(Thanks for your great work so far, by the way! 🌻 🚀 )

[yawkat]

There will be no relocation for versions past 1.8.1

[chia7712]

Dear all, is it good to go for merging? it would be cool to have your approval 😄

[mimaison]

There's still a mention of https://github.com/jpountz/lz4-java in NOTICE-binary: https://github.com/apache/kafka/blob/trunk/NOTICE-binary#L690

[mimaison]

LGTM

[mimaison]

Backported to:

• 4.2: 43a6e11
• 4.1: 2f71a53
• 4.0: 3171e23
• 3.9: d19a0cc

[mimaison]

@erikanderson Do you have a Jira Id? So I mark you as the author

[erikanderson]

@mimaison I don't in ASF

[mimaison]

@erikanderson If you desire, you can create an account using https://selfserve.apache.org/jira-account.html and I'll assign the Jira to you. This is not required, you will still appear as a contributor in the release notes as they are generated from the commit history. Thanks for your contribution!

[mimaison]

I approved your account request and assigned KAFKA-19951 to you. Thanks!

[ox-sag]

when the release version will be released ?

[chia7712]

when the release version will be released ?

3.9.2 (Nov 2025)
4.2.0 (January 2026)

I guess 3.9.2 release will be delayed :)

[skaluva]

'org.lz4:lz4-java:1.8.1

Simple example demonstrating the issue mentioned by @mimaison:

plugins {
    id 'java'
}

repositories {
    mavenCentral()
}

dependencies {
    // (1) only -> success
    // (2) only -> error, but: capability conflict not expected
    // (3) only -> success
    // (1) + (2) -> error (expected?)
    // (1) + (3) -> error (capability conflict as expected)
    // (2) + (3) -> error (capability conflict as expected)

    // implementation 'org.lz4:lz4-java:1.8.0' // (1)
    implementation 'org.lz4:lz4-java:1.8.1' // (2)
    // implementation 'at.yawk.lz4:lz4-java:1.8.1' // (3)
}

If only org.lz4:lz4-java:1.8.1 (2) is used, this unexpected build error will occur:

Could not determine the dependencies of task ':testlz4:compileJava'.
> Could not resolve all dependencies for configuration ':testlz4:compileClasspath'.
   > Could not resolve org.lz4:lz4-java:1.8.1.
     Required by:
         project :testlz4
      > Module 'org.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by [at.yawk.lz4:lz4-java:1.8.1(apiElements)]
   > Could not resolve at.yawk.lz4:lz4-java:1.8.1.
     Required by:
         project :testlz4 > org.lz4:lz4-java:1.8.1
      > Module 'at.yawk.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by [org.lz4:lz4-java:1.8.1(compile)]

There might be an issue with the capability configuration together with the relocation settings, which could be the reason for the problem.

I'm exactly facing this, struggling to switch this dependency with the new group. But with the gradle capability feature, it works when i define like this:

dependencies {
    implementation ("org.apache.kafka:kafka-clients:3.9.1"){
        exclude group: "org.lz4", module:"lz4-java"
    }
    implementation "at.yawk.lz4:lz4-java:1.10.1" //group changed in newer versions
}
    
configurations.configureEach {
    resolutionStrategy {
        // 1. Resolve capability conflict (CRITICAL)
        capabilitiesResolution.withCapability("org.lz4:lz4-java") {
            select("at.yawk.lz4:lz4-java:1.10.1")
            because("CVE-2025-12183, CVE-2025-66566 – groupId migrated")
        }
    }
}

But in my case the problem is, all my consumers of my internal framework (which uses above kafka-clients) are forced to define above logic to make it work, which i didnt like. Hope in newer versions of kafka-clients, they update their dependency graph with new group.

[marcelstoer]

Hope in newer versions of kafka-clients, they update their dependency graph with new group.

They already did: #21035 <-- this PR

[skaluva]

Hope in newer versions of kafka-clients, they update their dependency graph with new group.

They already did: #21035

Oh yeah.. missed reading entire thread.. but looks like 3.9.2 is not yet released :)

[chia7712]

but looks like 3.9.2 is not yet released :)

It's currently in the oven! Stay tuned 😄

[omarmahamid]

@chia7712

Let’s just hope it’s baking nicely and not getting a little too crispy 😄