Data Leak Vulnerability in Aircompressor Library for Java-Based Decompressors
CVE-2025-67721

6.3MEDIUM

Key Information:

Vendor

Airlift

Status
Aircompressor
Vendor
CVE Published:
12 December 2025

What is CVE-2025-67721?

The Aircompressor library, which implements various compression algorithms in Java, has a vulnerability in its handling of malformed data during decompression operations. Specifically, in versions 3.3 and below, an attacker can exploit this by sending crafted compressed input, resulting in unintended data leakage from previous buffer contents. This is particularly concerning for applications that utilize a fixed-size buffer for uncompression, such as web servers, as it may inadvertently output sensitive information from the buffer. Users are advised to upgrade to version 3.4 or later to mitigate this risk. Relevant issues are linked in various GitHub advisories.

Affected Version(s)

aircompressor < 3.4

References

https://github.com/airlift/aircompressor/security/advisor...
x_refsource_CONFIRM
https://github.com/airlift/aircompressor/commit/f2b489b39...
x_refsource_MISC
https://github.com/airlift/aircompressor/commit/ff12c4d57...
x_refsource_MISC

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.