CVE-2025-67721: CWE-201: Insertion of Sensitive Information Into Sent Data in airlift aircompressor
Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via crafted compressed input. With certain crafted compressed inputs, elements from the output buffer can end up in the uncompressed output, potentially leaking sensitive data. This is relevant for applications that reuse the same output buffer to uncompress multiple inputs. This can be the case of a web server that allocates a fix-sized buffer for performance purposes. There is similar vulnerability in GHSA-cmp6-m4wj-q63q. This issue is fixed in version 3.4.
AI Analysis
Technical Summary
CVE-2025-67721 affects the airlift aircompressor library, which provides Java ports of popular compression algorithms including Snappy, LZO, LZ4, and Zstandard. Versions 3.3 and below contain a vulnerability in the Snappy and LZ4 decompression implementations due to incorrect handling of malformed compressed input data. Specifically, when decompressing crafted malicious inputs, the decompressor may inadvertently include residual data from previous decompression operations in the output buffer. This occurs because some applications reuse the same fixed-size output buffer for multiple decompression calls to optimize performance. The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data) and CWE-125 (Out-of-bounds Read). An attacker can exploit this by sending specially crafted compressed data to a vulnerable Java application using aircompressor, causing leakage of sensitive information previously held in the output buffer. The attack vector is remote network-based, requiring no authentication or user interaction, and the scope is local to the decompression process within the application. The vulnerability does not affect the confidentiality of the entire system but can expose sensitive data fragments. The issue was publicly disclosed on December 12, 2025, and fixed in aircompressor version 3.4. No known exploits have been reported in the wild to date.
Potential Impact
For European organizations, this vulnerability poses a risk of sensitive data leakage in Java applications that utilize aircompressor versions below 3.4 for decompressing Snappy or LZ4 compressed data. This is particularly relevant for web servers, middleware, or microservices that handle compressed payloads and reuse output buffers for performance reasons. The leakage could expose confidential information such as session tokens, personal data, or proprietary information residing in memory buffers. While the vulnerability does not allow remote code execution or system compromise, the confidentiality breach could lead to regulatory non-compliance under GDPR if personal data is exposed. Additionally, organizations in sectors like finance, healthcare, and government, which often process sensitive data, may face reputational damage and legal consequences. The medium severity rating reflects the moderate impact and ease of exploitation without authentication. The absence of known exploits reduces immediate risk but should not delay remediation.
Mitigation Recommendations
European organizations should immediately upgrade all instances of airlift aircompressor to version 3.4 or later to eliminate this vulnerability. In addition, developers should audit their Java applications to identify any reuse of fixed-size output buffers during decompression and consider isolating buffer usage per decompression call to prevent data leakage. Implement input validation and reject malformed compressed data early in the processing pipeline. Employ runtime memory sanitization techniques to clear buffers before reuse. Conduct thorough testing with crafted compressed inputs to verify that no residual data is leaked. Monitor network traffic for unusual compressed payloads that could indicate exploitation attempts. Finally, integrate this vulnerability into vulnerability management and patching workflows to ensure timely updates across all environments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
CVE-2025-67721: CWE-201: Insertion of Sensitive Information Into Sent Data in airlift aircompressor
Description
Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via crafted compressed input. With certain crafted compressed inputs, elements from the output buffer can end up in the uncompressed output, potentially leaking sensitive data. This is relevant for applications that reuse the same output buffer to uncompress multiple inputs. This can be the case of a web server that allocates a fix-sized buffer for performance purposes. There is similar vulnerability in GHSA-cmp6-m4wj-q63q. This issue is fixed in version 3.4.
AI-Powered Analysis
Technical Analysis
CVE-2025-67721 affects the airlift aircompressor library, which provides Java ports of popular compression algorithms including Snappy, LZO, LZ4, and Zstandard. Versions 3.3 and below contain a vulnerability in the Snappy and LZ4 decompression implementations due to incorrect handling of malformed compressed input data. Specifically, when decompressing crafted malicious inputs, the decompressor may inadvertently include residual data from previous decompression operations in the output buffer. This occurs because some applications reuse the same fixed-size output buffer for multiple decompression calls to optimize performance. The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data) and CWE-125 (Out-of-bounds Read). An attacker can exploit this by sending specially crafted compressed data to a vulnerable Java application using aircompressor, causing leakage of sensitive information previously held in the output buffer. The attack vector is remote network-based, requiring no authentication or user interaction, and the scope is local to the decompression process within the application. The vulnerability does not affect the confidentiality of the entire system but can expose sensitive data fragments. The issue was publicly disclosed on December 12, 2025, and fixed in aircompressor version 3.4. No known exploits have been reported in the wild to date.
Potential Impact
For European organizations, this vulnerability poses a risk of sensitive data leakage in Java applications that utilize aircompressor versions below 3.4 for decompressing Snappy or LZ4 compressed data. This is particularly relevant for web servers, middleware, or microservices that handle compressed payloads and reuse output buffers for performance reasons. The leakage could expose confidential information such as session tokens, personal data, or proprietary information residing in memory buffers. While the vulnerability does not allow remote code execution or system compromise, the confidentiality breach could lead to regulatory non-compliance under GDPR if personal data is exposed. Additionally, organizations in sectors like finance, healthcare, and government, which often process sensitive data, may face reputational damage and legal consequences. The medium severity rating reflects the moderate impact and ease of exploitation without authentication. The absence of known exploits reduces immediate risk but should not delay remediation.
Mitigation Recommendations
European organizations should immediately upgrade all instances of airlift aircompressor to version 3.4 or later to eliminate this vulnerability. In addition, developers should audit their Java applications to identify any reuse of fixed-size output buffers during decompression and consider isolating buffer usage per decompression call to prevent data leakage. Implement input validation and reject malformed compressed data early in the processing pipeline. Employ runtime memory sanitization techniques to clear buffers before reuse. Conduct thorough testing with crafted compressed inputs to verify that no residual data is leaked. Monitor network traffic for unusual compressed payloads that could indicate exploitation attempts. Finally, integrate this vulnerability into vulnerability management and patching workflows to ensure timely updates across all environments.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-12-10T18:46:14.762Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 693c99885292e65bc6167f6e
Added to database: 12/12/2025, 10:39:04 PM
Last enriched: 12/12/2025, 10:42:58 PM
Last updated: 12/13/2025, 12:59:30 AM
Views: 22
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-14066
UnknownCVE-2025-14585: SQL Injection in itsourcecode COVID Tracking System
MediumCVE-2025-14584: SQL Injection in itsourcecode COVID Tracking System
MediumCVE-2025-14583: Unrestricted Upload in campcodes Online Student Enrollment System
MediumCVE-2025-14582: Unrestricted Upload in campcodes Online Student Enrollment System
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.