KAFKA-19951: Update lz4 dependency version for CVE-2025-12183

[erikanderson]

Updated lz4 dependency version from 1.8.0 to 1.8.1. For
https://nvd.nist.gov/vuln/detail/CVE-2025-12183

See https://github.com/yawkat/lz4-java/releases/tag/v1.8.1

Reviewers: Gaurav Narula gaurav_narula2@apple.com, Lan Ding
isDing_L@163.com, Chia-Ping Tsai chia7712@gmail.com

[DL1231]

Thanks for the patch. Could you also update LICENSE-binary and ensure the compression levels in org.apache.kafka.common.record.CompressionType are still valid?

[erikanderson]

@DL1231 thank you, updated license binary, do you know how org.apache.kafka.common.record.CompressionType has been confirmed in the past?

[mimaison]

I linked the PR to KAFKA-19951.

Regarding the compression level, it's explained in CompressionType: https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/record/CompressionType.java#L73-L74

[mimaison]

Also there's still a build issue:

Could not determine the dependencies of task ':clients:shadowJar'.
> Could not resolve all dependencies for configuration ':clients:runtimeClasspath'.
   > Could not resolve org.lz4:lz4-java:1.8.1.
     Required by:
         project ':clients'
      > Module 'org.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by ['at.yawk.lz4:lz4-java:1.8.1' (runtimeElements)]
   > Could not resolve at.yawk.lz4:lz4-java:1.8.1.
     Required by:
         project ':clients' > org.lz4:lz4-java:1.8.1
      > Module 'at.yawk.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by ['org.lz4:lz4-java:1.8.1' (runtime)]

[erikanderson]

Also there's still a build issue:

Could not determine the dependencies of task ':clients:shadowJar'.
> Could not resolve all dependencies for configuration ':clients:runtimeClasspath'.
   > Could not resolve org.lz4:lz4-java:1.8.1.
     Required by:
         project ':clients'
      > Module 'org.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by ['at.yawk.lz4:lz4-java:1.8.1' (runtimeElements)]
   > Could not resolve at.yawk.lz4:lz4-java:1.8.1.
     Required by:
         project ':clients' > org.lz4:lz4-java:1.8.1
      > Module 'at.yawk.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by ['org.lz4:lz4-java:1.8.1' (runtime)]

It looks like there was a recent change to discontinue https://github.com/lz4/lz4-java, in favor of community fork https://github.com/yawkat/lz4-java . I'll try updating to new GAV

[yawkat]

Maintainer here. Interesting, did you see that error when depending on org.lz4:lz4-java:1.8.1 directly, without any reference to at.yawk.lz4? Maybe there's something wrong with the gradle capability metadata

[erikanderson]

https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/record/CompressionType.java#L73-L74

Looks like max compression level is unchanged at 16+1 https://github.com/yawkat/lz4-java/blob/d9488323123899f90041187c20801deabcae1bef/src/java/net/jpountz/lz4/LZ4Constants.java#L24

[erikanderson]

Maintainer here. Interesting, did you see that error when depending on org.lz4:lz4-java:1.8.1 directly, without any reference to at.yawk.lz4? Maybe there's something wrong with the gradle capability metadata

Yeah, had to switch to your gav for it to work (I'm just a random person not affil with apache): 51c520e

[mjschwaiger]

'org.lz4:lz4-java:1.8.1

Simple example demonstrating the issue mentioned by @mimaison:

plugins {
    id 'java'
}

repositories {
    mavenCentral()
}

dependencies {
    // (1) only -> success
    // (2) only -> error, but: capability conflict not expected
    // (3) only -> success
    // (1) + (2) -> error (expected?)
    // (1) + (3) -> error (capability conflict as expected)
    // (2) + (3) -> error (capability conflict as expected)

    // implementation 'org.lz4:lz4-java:1.8.0' // (1)
    implementation 'org.lz4:lz4-java:1.8.1' // (2)
    // implementation 'at.yawk.lz4:lz4-java:1.8.1' // (3)
}

If only org.lz4:lz4-java:1.8.1 (2) is used, this unexpected build error will occur:

Could not determine the dependencies of task ':testlz4:compileJava'.
> Could not resolve all dependencies for configuration ':testlz4:compileClasspath'.
   > Could not resolve org.lz4:lz4-java:1.8.1.
     Required by:
         project :testlz4
      > Module 'org.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by [at.yawk.lz4:lz4-java:1.8.1(apiElements)]
   > Could not resolve at.yawk.lz4:lz4-java:1.8.1.
     Required by:
         project :testlz4 > org.lz4:lz4-java:1.8.1
      > Module 'at.yawk.lz4:lz4-java' has been rejected:
           Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.1' also provided by [org.lz4:lz4-java:1.8.1(compile)]

There might be an issue with the capability configuration together with the relocation settings, which could be the reason for the problem.

[yawkat]

@mjschwaiger I made a test case here: https://github.com/yawkat/test-case-gradle-rename-capability

I think it's a gradle bug, I've asked on the gradle community slack about it.

[chia7712]

LGTM

[chia7712]

@mimaison do you have time to take a look at this?

[ccudennec-otto]

BTW: If the Java project is discontinued, I think it would be a good idea to get rid of the library. Not sure where I could raise this question as an issue.

[chia7712]

Not sure where I could raise this question as an issue.

I recommend KAFKA-17301 for raising this issue 😄

[mimaison]

Should we directly bump to 1.10.0?

[chia7712]

done (cd8be9e)

[mimaison]

BTW: If the Java project is discontinued, I think it would be a good idea to get rid of the library. Not sure where I could raise this question as an issue.

org.lz4:lz4-java is not maintained but at.yawk.lz4:lz4-java is a new fork that is maintained.

[DL1231]

LGTM, thanks for the patch.

[marcosflobo]

Really looking forward to this team!. We have many services using this library and the "CVE alerts" already raised.

Thanks for the great job!

[chia7712]

@erikanderson sorry for intervening on your PR, but we have two planned releases waiting for this patch 😃