CVE-2025-67721 affects airlift's aircompressor library, which provides Java ports of popular compression algorithms including Snappy and LZ4. In versions 3.3 and below, the decompressor implementations incorrectly handle malformed compressed inputs. Specifically, when decompressing crafted data, the output buffer—often reused across multiple decompression operations for performance reasons—may inadvertently include residual data from previous decompressions. This occurs because the decompressor does not properly clear or isolate the output buffer before writing new decompressed data, leading to insertion of stale buffer contents into the current output. The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data) and CWE-125 (Out-of-bounds Read), indicating that the decompressor reads beyond intended buffer boundaries and leaks sensitive information. Remote attackers can exploit this by sending specially crafted compressed payloads to vulnerable applications, such as web servers using aircompressor for data processing. The flaw does not require authentication or user interaction, increasing its risk profile. However, it only impacts confidentiality, as it leaks data but does not allow modification or denial of service. The issue is resolved in aircompressor version 3.4, which properly handles buffer reuse and malformed inputs to prevent leakage.

For European organizations, this vulnerability poses a risk of sensitive data leakage from applications using aircompressor versions below 3.4, particularly those that reuse output buffers for decompression to optimize performance. Such leakage could expose confidential information processed or cached in memory, including user data, credentials, or proprietary information. Industries with stringent data protection requirements, such as finance, healthcare, and government, are especially at risk due to potential regulatory and reputational consequences under GDPR. While the vulnerability does not enable code execution or service disruption, the confidentiality breach could facilitate further attacks or compliance violations. Remote exploitation without authentication increases the attack surface, especially for publicly accessible services that decompress untrusted data. The absence of known exploits in the wild suggests limited current exploitation but does not preclude future attacks. Organizations relying on Java-based compression libraries in their infrastructure should assess their exposure and remediate promptly to avoid data leakage incidents.

1. Upgrade aircompressor to version 3.4 or later, where the vulnerability is fixed. 2. Audit all applications and services using aircompressor for decompression of untrusted inputs, especially those reusing fixed-size output buffers. 3. Implement input validation and sanity checks on compressed data before decompression to detect malformed or suspicious payloads. 4. Avoid reusing output buffers across decompression operations or ensure buffers are securely cleared before reuse to prevent residual data leakage. 5. Employ runtime memory protection techniques and monitoring to detect anomalous buffer reads or data leakage patterns. 6. Restrict network exposure of services that decompress untrusted inputs, applying strict access controls and network segmentation. 7. Monitor logs and network traffic for unusual compressed data patterns that could indicate exploitation attempts. 8. Incorporate this vulnerability into incident response plans and conduct staff training on secure handling of compressed data streams.