CVE-2025-66566 is a vulnerability classified under CWE-201 (Insertion of Sensitive Information Into Sent Data) affecting yawkat lz4-java, a Java library providing LZ4 compression and decompression functionality. The root cause lies in insufficient clearing of the output buffer in Java-based decompressor implementations in versions 1.10.0 and earlier. When decompressing crafted compressed input, the output buffer may retain residual data from previous decompression operations if the buffer is reused without being cleared. This residual data can include sensitive information previously processed by the application, leading to unintended data disclosure. The vulnerability can be exploited remotely without authentication or user interaction, as an attacker only needs to supply malicious compressed input to trigger the leakage. JNI-based implementations of lz4-java are not affected, indicating the flaw is specific to the pure Java decompression code path. The vulnerability has a CVSS 4.0 base score of 8.2, reflecting its high severity due to network attack vector, low complexity, no privileges required, and high impact on confidentiality. No known exploits have been reported in the wild as of the publication date. The issue is resolved in lz4-java version 1.10.1, where proper clearing of the output buffer is implemented to prevent residual data leakage.

For European organizations, the primary impact of this vulnerability is the potential unauthorized disclosure of sensitive data processed by applications using vulnerable versions of lz4-java. This can include personal data, credentials, or proprietary information, depending on the application's context. Data leakage can lead to regulatory non-compliance under GDPR, reputational damage, and potential financial losses. Since the vulnerability can be exploited remotely without authentication, any exposed service accepting compressed input using the vulnerable library is at risk. The impact is particularly critical for sectors such as finance, healthcare, and government, where sensitive data confidentiality is paramount. Additionally, organizations relying on Java-based microservices or middleware that incorporate lz4-java for compression may inadvertently expose internal data. The lack of user interaction or privileges required for exploitation increases the threat surface. However, the absence of known exploits in the wild suggests that immediate widespread attacks may not be occurring, but proactive mitigation is essential to prevent future exploitation.

European organizations should immediately assess their software inventory to identify usage of yawkat lz4-java versions prior to 1.10.1. The primary mitigation is to upgrade all instances of lz4-java to version 1.10.1 or later, where the vulnerability is fixed. For applications where upgrading is not immediately feasible, implement compensating controls such as ensuring output buffers are explicitly cleared before reuse in custom decompression logic. Conduct code reviews to verify that decompression buffers do not retain sensitive data. Network-level protections such as input validation and filtering of compressed data from untrusted sources can reduce exposure. Employ runtime application self-protection (RASP) or intrusion detection systems to monitor for anomalous decompression requests. Additionally, review logging and monitoring to detect unusual decompression activity. Finally, update incident response plans to include scenarios involving data leakage via compression libraries.