CVE-2025-67721 Airlift — Exploit & Vulnerability Details MEDIUM

Parameter	Value
CVSS	6.3 (MEDIUM)
Affected Versions	3.0 — 3.4
Fixed In	3.4
Type	CWE-201, CWE-125 (Out-of-bounds Read)
Vendor	Airlift
Public PoC	No

Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via crafted compressed input. With certain crafted compressed inputs, elements from the output buffer can end up in the uncompressed output, potentially leaking sensitive data.

This is relevant for applications that reuse the same output buffer to uncompress multiple inputs. This can be the case of a web server that allocates a fix-sized buffer for performance purposes. There is similar vulnerability in GHSA-cmp6-m4wj-q63q.

This issue is fixed in version 3.4.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Attack Requirements

Present

Additional conditions required

Privileges Required

None

No privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

Low

Partial data leak

Integrity

None

No data modification

Availability

None

No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-201

CWE-125 Out-of-bounds Read

Vulnerable Products 2

Configuration	From (including)	Up to (excluding)
Airlift Aircompressor cpe:2.3:a:airlift:aircompressor::::::::	—	`2.0.3`
Airlift Aircompressor cpe:2.3:a:airlift:aircompressor::::::::	`3.0`	`3.4`