Chore : AAP-10129 : Add constraint on Lz4-java dependency due to critical CVE-2025-12183 #113

DibyojyotiS · 2025-12-10T11:53:33Z

Description
This PR adds a version constraint for org.lz4:lz4-java:1.8.1 to address security vulnerability CVE-2025-12183 found in version 1.8.0.

Type: Security bugfix - dependency update

Change: Added explicit version constraint in the kafka-bom to enforce lz4-java version 1.8.1 across all dependent modules, preventing the use of vulnerable version 1.8.0.

Motivation: CVE-2025-12183 affects org.lz4:lz4-java:1.8.0 and is fixed in 1.8.1. By adding this constraint to the BOM (Bill of Materials), all modules consuming kafka-bom will automatically use the patched version.

Related vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2025-12183

…-12183

github-actions · 2025-12-10T11:54:26Z

Test Results

15 files ±0 15 suites ±0 30s ⏱️ +2s
68 tests ±0 68 ✅ ±0 0 💤 ±0 0 ❌ ±0
86 runs ±0 86 ✅ ±0 0 💤 ±0 0 ❌ ±0

Results for commit 0ce73d4. ± Comparison against base commit 060ebf3.

This pull request removes 9 and adds 9 tests. Note that renamed tests count towards both.

org.hypertrace.core.kafkastreams.framework.rocksdb.BoundedMemoryConfigSetterTest ‑ [1] {rocksdb.cache.write.buffers.ratio=-0.1, application.id=app-1}
org.hypertrace.core.kafkastreams.framework.rocksdb.BoundedMemoryConfigSetterTest ‑ [1] {rocksdb.compaction.style=LEVEL, rocksdb.max.write.buffers=2, rocksdb.direct.reads.enabled=true, rocksdb.write.buffer.size=8388608, rocksdb.block.size=8388608, rocksdb.compression.type=SNAPPY_COMPRESSION, rocksdb.log.level=INFO_LEVEL, application.id=app-1}
org.hypertrace.core.kafkastreams.framework.rocksdb.BoundedMemoryConfigSetterTest ‑ [1] {rocksdb.compaction.universal.max.size.amplification.percent=50, rocksdb.compaction.universal.compression.size.percent=40, rocksdb.compaction.style=UNIVERSAL, rocksdb.periodic.compaction.seconds=60, application.id=app-2}
org.hypertrace.core.kafkastreams.framework.rocksdb.BoundedMemoryConfigSetterTest ‑ [2] {rocksdb.cache.write.buffers.ratio=1.1, application.id=app-2}
org.hypertrace.core.kafkastreams.framework.rocksdb.BoundedMemoryConfigSetterTest ‑ [2] {rocksdb.compaction.style=UNIVERSAL, rocksdb.max.write.buffers=3, rocksdb.direct.reads.enabled=true, rocksdb.write.buffer.size=8388607, rocksdb.block.size=8388609, rocksdb.compression.type=SNAPPY_COMPRESSION, rocksdb.log.level=DEBUG_LEVEL, application.id=app-2}
org.hypertrace.core.kafkastreams.framework.rocksdb.BoundedMemoryConfigSetterTest ‑ [3] {application.id=app-3, rocksdb.cache.high.priority.pool.ratio=-0.1}
org.hypertrace.core.kafkastreams.framework.rocksdb.BoundedMemoryConfigSetterTest ‑ [3] {rocksdb.compaction.style=FIFO, rocksdb.max.write.buffers=4, rocksdb.direct.reads.enabled=false, rocksdb.write.buffer.size=8388609, rocksdb.block.size=8388607, rocksdb.compression.type=SNAPPY_COMPRESSION, rocksdb.log.level=ERROR_LEVEL, application.id=app-3}
org.hypertrace.core.kafkastreams.framework.rocksdb.BoundedMemoryConfigSetterTest ‑ [4] {application.id=app-2, rocksdb.cache.high.priority.pool.ratio=1.1}
org.hypertrace.core.kafkastreams.framework.rocksdb.BoundedMemoryConfigSetterTest ‑ [5] {rocksdb.cache.write.buffers.ratio=0.9, rocksdb.cache.high.priority.pool.ratio=0.2, application.id=app-5}

org.hypertrace.core.kafkastreams.framework.rocksdb.BoundedMemoryConfigSetterTest ‑ [1] {application.id=app-1, rocksdb.cache.write.buffers.ratio=-0.1}
org.hypertrace.core.kafkastreams.framework.rocksdb.BoundedMemoryConfigSetterTest ‑ [1] {application.id=app-1, rocksdb.log.level=INFO_LEVEL, rocksdb.compression.type=SNAPPY_COMPRESSION, rocksdb.block.size=8388608, rocksdb.write.buffer.size=8388608, rocksdb.direct.reads.enabled=true, rocksdb.max.write.buffers=2, rocksdb.compaction.style=LEVEL}
org.hypertrace.core.kafkastreams.framework.rocksdb.BoundedMemoryConfigSetterTest ‑ [1] {rocksdb.periodic.compaction.seconds=60, rocksdb.compaction.style=UNIVERSAL, rocksdb.compaction.universal.compression.size.percent=40, rocksdb.compaction.universal.max.size.amplification.percent=50, application.id=app-2}
org.hypertrace.core.kafkastreams.framework.rocksdb.BoundedMemoryConfigSetterTest ‑ [2] {application.id=app-2, rocksdb.cache.write.buffers.ratio=1.1}
org.hypertrace.core.kafkastreams.framework.rocksdb.BoundedMemoryConfigSetterTest ‑ [2] {application.id=app-2, rocksdb.log.level=DEBUG_LEVEL, rocksdb.compression.type=SNAPPY_COMPRESSION, rocksdb.block.size=8388609, rocksdb.write.buffer.size=8388607, rocksdb.direct.reads.enabled=true, rocksdb.max.write.buffers=3, rocksdb.compaction.style=UNIVERSAL}
org.hypertrace.core.kafkastreams.framework.rocksdb.BoundedMemoryConfigSetterTest ‑ [3] {application.id=app-3, rocksdb.log.level=ERROR_LEVEL, rocksdb.compression.type=SNAPPY_COMPRESSION, rocksdb.block.size=8388607, rocksdb.write.buffer.size=8388609, rocksdb.direct.reads.enabled=false, rocksdb.max.write.buffers=4, rocksdb.compaction.style=FIFO}
org.hypertrace.core.kafkastreams.framework.rocksdb.BoundedMemoryConfigSetterTest ‑ [3] {rocksdb.cache.high.priority.pool.ratio=-0.1, application.id=app-3}
org.hypertrace.core.kafkastreams.framework.rocksdb.BoundedMemoryConfigSetterTest ‑ [4] {rocksdb.cache.high.priority.pool.ratio=1.1, application.id=app-2}
org.hypertrace.core.kafkastreams.framework.rocksdb.BoundedMemoryConfigSetterTest ‑ [5] {rocksdb.cache.write.buffers.ratio=0.9, application.id=app-5, rocksdb.cache.high.priority.pool.ratio=0.2}

♻️ This comment has been updated with latest results.

… to at.yawk.lz4:lz4-java:1.8.1

Chore: Add constraint on Lz4-java dependency due to critical CVE-2025…

360b528

…-12183

DibyojyotiS requested a review from a team as a code owner December 10, 2025 11:53

DibyojyotiS added 2 commits December 11, 2025 13:32

address gradle's conflict due to org.lz4:lz4-java:1.8.1 being pointed…

78aef6a

… to at.yawk.lz4:lz4-java:1.8.1

removed selectHighestVersion and made it more specific for 1.8.1 version

0ce73d4

kotharironak approved these changes Dec 12, 2025

View reviewed changes

DibyojyotiS merged commit 0aa8c44 into main Dec 12, 2025
5 checks passed

DibyojyotiS deleted the add-constraint-lz4-java branch December 12, 2025 06:50

DibyojyotiS changed the title ~~Chore: Add constraint on Lz4-java dependency due to critical CVE-2025-12183~~ Chore : AAP-10129 : Add constraint on Lz4-java dependency due to critical CVE-2025-12183 Dec 12, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Chore : AAP-10129 : Add constraint on Lz4-java dependency due to critical CVE-2025-12183 #113

Chore : AAP-10129 : Add constraint on Lz4-java dependency due to critical CVE-2025-12183 #113

Uh oh!

DibyojyotiS commented Dec 10, 2025

Uh oh!

github-actions bot commented Dec 10, 2025 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Chore : AAP-10129 : Add constraint on Lz4-java dependency due to critical CVE-2025-12183 #113

Chore : AAP-10129 : Add constraint on Lz4-java dependency due to critical CVE-2025-12183 #113

Uh oh!

Conversation

DibyojyotiS commented Dec 10, 2025

Uh oh!

github-actions bot commented Dec 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Test Results

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

github-actions bot commented Dec 10, 2025 •

edited

Loading