Is at.yawk.lz4:lz4-java affected by CVE-2025-66566?

Maven at.yawk.lz4:lz4-java is affected in <1.10.1.

Is CVE-2025-66566 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.5%.

high

CVE-2025-66566

Q: Is CVE-2025-66566 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.5%.

Maven · at.yawk.lz4:lz4-java • Maven · org.lz4:lz4-java • Maven · org.lz4:lz4-pure-java • Maven · net.jpountz.lz4:lz4

Summary

yawkat LZ4 Java has a possible information leak in Java safe decompressor

Severity: high
EPSS: 0.5% (p41)
Also known as: GHSA-cmp6-m4wj-q63q#at.yawk.lz4:lz4-java, GHSA-cmp6-m4wj-q63q#net.jpountz.lz4:lz4, GHSA-cmp6-m4wj-q63q#org.lz4:lz4-java, GHSA-cmp6-m4wj-q63q#org.lz4:lz4-pure-java
Published: 2025-12-05

References

https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q
https://nvd.nist.gov/vuln/detail/CVE-2025-66566
https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840

Related advisories

CVE-2025-12183 — high · Maven/at.yawk.lz4:lz4-java

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.