Insertion of Sensitive Information Into Sent Data in aircompressor - CVE-2025-67721
Published: April 28, 2026
Vulnerability identifier: #VU128324
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-67721
CWE-ID: CWE-201
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: airlift
Affected software:
aircompressor
aircompressor
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to insertion of sensitive information into sent data in the Java-based Snappy and LZ4 decompressor implementation when processing crafted compressed input. A remote attacker can send specially crafted compressed input to disclose sensitive information.
Exploitation requires the application to reuse the same decompression output buffer across calls without clearing it first.
How to mitigate CVE-2025-67721
Install security update from vendor's website.