CVE-2025-66566 is a vulnerability classified under CWE-201 (Insertion of Sensitive Information Into Sent Data) affecting the yawkat lz4-java library, which provides LZ4 compression and decompression for Java applications. The issue arises from insufficient clearing of the output buffer in the Java-based decompressor implementations in versions 1.10.0 and earlier. When the output buffer is reused without being cleared, crafted compressed input can cause the decompressor to output residual data from previous decompression operations. This residual data may contain sensitive information previously processed by the application, leading to unintended data disclosure. The vulnerability does not affect JNI-based implementations of lz4-java, which handle buffers differently. Exploitation is possible remotely without authentication or user interaction, by sending maliciously crafted compressed data to the vulnerable decompression endpoint. The CVSS 4.0 score of 8.2 reflects the high impact on confidentiality, with no impact on integrity or availability. The vulnerability was published on December 5, 2025, and fixed in version 1.10.1 of lz4-java. No known exploits are currently reported in the wild. The root cause is a failure to clear or overwrite the output buffer before reuse, a common programming oversight in buffer management. This vulnerability is particularly critical in environments where decompression buffers are reused and where sensitive data is processed, such as in secure messaging, data storage, or transmission systems.

For European organizations, the primary impact is the potential leakage of sensitive information processed by applications using vulnerable versions of lz4-java. This could include personal data protected under GDPR, intellectual property, or confidential business information. Since the vulnerability allows remote attackers to read residual buffer contents without authentication, it poses a significant confidentiality risk. Organizations in sectors such as finance, healthcare, telecommunications, and government, which often handle sensitive data and rely on Java-based systems, are particularly at risk. The vulnerability could be exploited to extract fragments of sensitive data from memory buffers, potentially enabling further attacks or data breaches. Although the vulnerability does not affect system integrity or availability, the confidentiality breach alone can lead to regulatory penalties, reputational damage, and financial losses. The absence of known exploits in the wild suggests a window of opportunity for proactive mitigation before widespread exploitation occurs.

1. Upgrade all instances of yawkat lz4-java to version 1.10.1 or later, where the vulnerability is fixed. 2. Audit application code to identify any reuse of decompression output buffers and ensure buffers are explicitly cleared or overwritten before reuse. 3. If upgrading immediately is not feasible, implement input validation and filtering to restrict untrusted compressed data sources. 4. Employ runtime memory analysis tools to detect unintended data leakage from buffers during decompression. 5. Review and enhance logging and monitoring to detect anomalous decompression requests that could indicate exploitation attempts. 6. For JNI-based implementations, verify that they are not affected and consider migrating to JNI-based decompression if appropriate. 7. Educate development teams on secure buffer management practices to prevent similar vulnerabilities. 8. Coordinate with third-party vendors and service providers to ensure their use of lz4-java is updated and secure.