KAFKA-19951: Update lz4 dependency version for CVE-2025-12183 & CVE-2025-66566

[erikanderson]

Updated lz4 dependency version from 1.8.0 to 1.10.1

CVE-2025-12183

https://nvd.nist.gov/vuln/detail/CVE-2025-12183

CVE-2025-66566

https://nvd.nist.gov/vuln/detail/CVE-2025-66566

Releases

https://github.com/yawkat/lz4-java/releases/tag/v1.8.1
https://github.com/yawkat/lz4-java/releases/tag/v1.10.0
https://github.com/yawkat/lz4-java/releases/tag/v1.10.1

Reviewers: Gaurav Narula gaurav_narula2@apple.com, Lan Ding
isDing_L@163.com, Chia-Ping Tsai chia7712@gmail.com, Mickael Maison
mimaison@apache.org, PoAn Yang payang@apache.org

[DL1231]

Thanks for the patch. Could you also update LICENSE-binary and ensure the compression levels in org.apache.kafka.common.record.CompressionType are still valid?

[erikanderson]

@DL1231 thank you, updated license binary, do you know how org.apache.kafka.common.record.CompressionType has been confirmed in the past?

[mimaison]

I linked the PR to KAFKA-19951.

Regarding the compression level, it's explained in CompressionType: https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/record/CompressionType.java#L73-L74

[mimaison]

Also there's still a build issue:

Could not determine the dependencies of task ':clients:shadowJar'.
> Could not resolve all dependencies for configuration ':clients:runtimeClasspath'.
   > Could not resolve org.lz4:lz4-java:1.8.1.
     Required by:
         project ':clients'
      > Module 'org.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by ['at.yawk.lz4:lz4-java:1.8.1' (runtimeElements)]
   > Could not resolve at.yawk.lz4:lz4-java:1.8.1.
     Required by:
         project ':clients' > org.lz4:lz4-java:1.8.1
      > Module 'at.yawk.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by ['org.lz4:lz4-java:1.8.1' (runtime)]

[erikanderson]

Also there's still a build issue:

Could not determine the dependencies of task ':clients:shadowJar'.
> Could not resolve all dependencies for configuration ':clients:runtimeClasspath'.
   > Could not resolve org.lz4:lz4-java:1.8.1.
     Required by:
         project ':clients'
      > Module 'org.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by ['at.yawk.lz4:lz4-java:1.8.1' (runtimeElements)]
   > Could not resolve at.yawk.lz4:lz4-java:1.8.1.
     Required by:
         project ':clients' > org.lz4:lz4-java:1.8.1
      > Module 'at.yawk.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by ['org.lz4:lz4-java:1.8.1' (runtime)]

It looks like there was a recent change to discontinue https://github.com/lz4/lz4-java, in favor of community fork https://github.com/yawkat/lz4-java . I'll try updating to new GAV

[yawkat]

Maintainer here. Interesting, did you see that error when depending on org.lz4:lz4-java:1.8.1 directly, without any reference to at.yawk.lz4? Maybe there's something wrong with the gradle capability metadata

[erikanderson]

https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/record/CompressionType.java#L73-L74

Looks like max compression level is unchanged at 16+1 https://github.com/yawkat/lz4-java/blob/d9488323123899f90041187c20801deabcae1bef/src/java/net/jpountz/lz4/LZ4Constants.java#L24

[erikanderson]

Maintainer here. Interesting, did you see that error when depending on org.lz4:lz4-java:1.8.1 directly, without any reference to at.yawk.lz4? Maybe there's something wrong with the gradle capability metadata

Yeah, had to switch to your gav for it to work (I'm just a random person not affil with apache): 51c520e

[mjschwaiger]

'org.lz4:lz4-java:1.8.1

Simple example demonstrating the issue mentioned by @mimaison:

plugins {
    id 'java'
}

repositories {
    mavenCentral()
}

dependencies {
    // (1) only -> success
    // (2) only -> error, but: capability conflict not expected
    // (3) only -> success
    // (1) + (2) -> error (expected?)
    // (1) + (3) -> error (capability conflict as expected)
    // (2) + (3) -> error (capability conflict as expected)

    // implementation 'org.lz4:lz4-java:1.8.0' // (1)
    implementation 'org.lz4:lz4-java:1.8.1' // (2)
    // implementation 'at.yawk.lz4:lz4-java:1.8.1' // (3)
}

If only org.lz4:lz4-java:1.8.1 (2) is used, this unexpected build error will occur:

Could not determine the dependencies of task ':testlz4:compileJava'.
> Could not resolve all dependencies for configuration ':testlz4:compileClasspath'.
   > Could not resolve org.lz4:lz4-java:1.8.1.
     Required by:
         project :testlz4
      > Module 'org.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by [at.yawk.lz4:lz4-java:1.8.1(apiElements)]
   > Could not resolve at.yawk.lz4:lz4-java:1.8.1.
     Required by:
         project :testlz4 > org.lz4:lz4-java:1.8.1
      > Module 'at.yawk.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by [org.lz4:lz4-java:1.8.1(compile)]

There might be an issue with the capability configuration together with the relocation settings, which could be the reason for the problem.

[yawkat]

@mjschwaiger I made a test case here: https://github.com/yawkat/test-case-gradle-rename-capability

I think it's a gradle bug, I've asked on the gradle community slack about it.

[chia7712]

LGTM

[chia7712]

@mimaison do you have time to take a look at this?

[ccudennec-otto]

BTW: If the Java project is discontinued, I think it would be a good idea to get rid of the library. Not sure where I could raise this question as an issue.

[chia7712]

Not sure where I could raise this question as an issue.

I recommend KAFKA-17301 for raising this issue 😄

[mimaison]

Should we directly bump to 1.10.0?

[chia7712]

done (cd8be9e)

[mimaison]

I approved your account request and assigned KAFKA-19951 to you. Thanks!

[ox-sag]

when the release version will be released ?

[chia7712]

when the release version will be released ?

3.9.2 (Nov 2025)
4.2.0 (January 2026)

I guess 3.9.2 release will be delayed :)

[skaluva]

'org.lz4:lz4-java:1.8.1

Simple example demonstrating the issue mentioned by @mimaison:

plugins {
    id 'java'
}

repositories {
    mavenCentral()
}

dependencies {
    // (1) only -> success
    // (2) only -> error, but: capability conflict not expected
    // (3) only -> success
    // (1) + (2) -> error (expected?)
    // (1) + (3) -> error (capability conflict as expected)
    // (2) + (3) -> error (capability conflict as expected)

    // implementation 'org.lz4:lz4-java:1.8.0' // (1)
    implementation 'org.lz4:lz4-java:1.8.1' // (2)
    // implementation 'at.yawk.lz4:lz4-java:1.8.1' // (3)
}

If only org.lz4:lz4-java:1.8.1 (2) is used, this unexpected build error will occur:

Could not determine the dependencies of task ':testlz4:compileJava'.
> Could not resolve all dependencies for configuration ':testlz4:compileClasspath'.
   > Could not resolve org.lz4:lz4-java:1.8.1.
     Required by:
         project :testlz4
      > Module 'org.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by [at.yawk.lz4:lz4-java:1.8.1(apiElements)]
   > Could not resolve at.yawk.lz4:lz4-java:1.8.1.
     Required by:
         project :testlz4 > org.lz4:lz4-java:1.8.1
      > Module 'at.yawk.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by [org.lz4:lz4-java:1.8.1(compile)]

There might be an issue with the capability configuration together with the relocation settings, which could be the reason for the problem.

I'm exactly facing this, struggling to switch this dependency with the new group. But with the gradle capability feature, it works when i define like this:

dependencies {
    implementation ("org.apache.kafka:kafka-clients:3.9.1"){
        exclude group: "org.lz4", module:"lz4-java"
    }
    implementation "at.yawk.lz4:lz4-java:1.10.1" //group changed in newer versions
}
    
configurations.configureEach {
    resolutionStrategy {
        // 1. Resolve capability conflict (CRITICAL)
        capabilitiesResolution.withCapability("org.lz4:lz4-java") {
            select("at.yawk.lz4:lz4-java:1.10.1")
            because("CVE-2025-12183, CVE-2025-66566 – groupId migrated")
        }
    }
}

But in my case the problem is, all my consumers of my internal framework (which uses above kafka-clients) are forced to define above logic to make it work, which i didnt like. Hope in newer versions of kafka-clients, they update their dependency graph with new group.

[marcelstoer]

Hope in newer versions of kafka-clients, they update their dependency graph with new group.

They already did: #21035 <-- this PR

[skaluva]

Hope in newer versions of kafka-clients, they update their dependency graph with new group.

They already did: #21035

Oh yeah.. missed reading entire thread.. but looks like 3.9.2 is not yet released :)

[chia7712]

but looks like 3.9.2 is not yet released :)

It's currently in the oven! Stay tuned 😄

[omarmahamid]

@chia7712

Let’s just hope it’s baking nicely and not getting a little too crispy 😄

[radarsh]

Sorry to be pushy, but when can we expect a new version of 3.9.x with this fix? People in my organisation are panicking as this vulnerability has a high score.

[chia7712]

Sorry to be pushy, but when can we expect a new version of 3.9.x with this fix? People in my organisation are panicking as this vulnerability has a high score.

Definitely. We understand the urgency. We are currently preparing the 3.9.2 RC0, and I will share the release discussion link here as soon as it is ready

[FrankYang0529]

Currently, most of 3.9.2-rc0 artifacts are ready. I'm waiting for apache/kafka-native:3.9.2-rc0 image (https://github.com/apache/kafka/actions/runs/20998197324). I will start the vote thread after it's ready. Thanks.

[FrankYang0529]

3.9.2-rc0 vote thread: https://lists.apache.org/thread/t83xx0f4bfo160zhnnh885qh27o494dh

[skaluva]

I still dont see 3.9.2 artifacts in maven central repo.. any idea when those will be available for public use..
(sorry for asking this, im not aware on how to use above vote thread mentioned)

[FrankYang0529]

@skaluva Based on release document, the rc version is not pushed to maven central repo.

https://maven.apache.org/guides/development/guide-testing-releases.html
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=34840886#ReleaseProcess-Afterthevotepasses

[radarsh]

21st January has passed. The RC has only received one +1 vote. Now what happens? Do we wait indefinitely until the required number of votes are cast or is there a time limit after which release will be cut anyway?

[chia7712]

21st January has passed. The RC has only received one +1 vote. Now what happens? Do we wait indefinitely until the required number of votes are cast or is there a time limit after which release will be cut anyway?

Good point. We have been jugging between two releases lately, which is why the 3.9.2 RC is moving a bit slower. We are on it and will case the necessary votes once the validation is complete.

[skaluva]

Any update on this please? all our repositories mend scans are failing due to this and our infosec team is behind us.. :(

[chia7712]

Any update on this please? all our repositories mend scans are failing due to this and our infosec team is behind us.. :(

Totally understand the pressure from your infosec team. The fix is nearly ready - we are waiting on the very last vote for approval. It should be moving forward very shortly

[omarmahamid]

[chia7712]

BTW, it would be super helpful if you guys could join the release vote thread and help verify the RC. Even if your "+1" is non-binding, sharing your test results gives the maintainers the final confidence needed to close the vote

For instance, @jiafu1115 has already helped verify the 3.9.2-RC in their environment, ensuring it does not burn out the server. If you have time, please jump in and help us cross the finish line

vote thread: https://lists.apache.org/thread/t83xx0f4bfo160zhnnh885qh27o494dh

[tobbin2]

When can we expect the release date of 3.9.2, how long does it usually take for the last legendary voter?

[yeikel]

When can we expect the release date of 3.9.2,

You should consider following the email list for updates

how long does it usually take for the last legendary voter?

This legendary voter could be you. For example, download the RC, test it and share feedback. It is a community effort 🚀

[radarsh]

I think we had the legendary vote yesterday. I'm assuming now it's just pending release formalities?

[chia7712]

Yes, we have the legendary voter. At the same time, we’re investigating a patch regarding a CVE. Hopefully, this will not lead to another RC

#21395

[yeikel]

Yes, we have the legendary voter. At the same time, we’re investigating a patch regarding a CVE. Hopefully, this will not lead to another RC

#21395

That's a pretty high severity CVE, thanks for the great work. We'll need to wait or the sec teams will still chase us anyways 😃

[skaluva]

when do i see it here?

Entire kafka industry plagued with this CVE.. :D

[chia7712]

Entire kafka industry plagued with this CVE..

Not just Kafka. We're all in this burning building together. 🔥

[yawkat]

You're welcome 🤗