apache · VGalaxies · Jan 4, 2026 · Dec 15, 2025 · Dec 16, 2025 · Dec 16, 2025
diff --git a/hugegraph-server/hugegraph-core/pom.xml b/hugegraph-server/hugegraph-core/pom.xml
@@ -32,7 +32,7 @@
         <jraft.version>1.3.11</jraft.version>
         <ohc.version>0.7.4</ohc.version>
         <jna.version>5.12.1</jna.version>
-        <lz4.version>1.8.0</lz4.version>
+        <lz4.version>1.8.1</lz4.version>
         <mmseg4j-core.version>1.10.0</mmseg4j-core.version>
         <jcseg.version>2.6.2</jcseg.version>
         <hanlp.version>portable-1.8.3</hanlp.version>
@@ -197,6 +197,8 @@
             <artifactId>commons-compress</artifactId>
             <version>${commons-compress.version}</version>
         </dependency>
+        <!-- LZ4 version update from 1.8.0 to 1.8.1. For details on the specific changes, please refer to:
+        https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183 -->
         <dependency>
             <groupId>org.lz4</groupId>
             <artifactId>lz4-java</artifactId>

diff --git a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/CompressUtil.java b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/CompressUtil.java
@@ -139,7 +139,7 @@ public static void decompressTar(String sourceFile, String outputDir,
             ArchiveEntry entry;
             while ((entry = tis.getNextEntry()) != null) {
                 // Create a new path, zip slip validate
-                Path newPath = zipSlipProtect(entry, target);
+                Path newPath = zipSlipProtect(entry.getName(), target);
                 if (entry.isDirectory()) {
                     Files.createDirectories(newPath);
                 } else {
@@ -158,17 +158,17 @@ public static void decompressTar(String sourceFile, String outputDir,
         }
     }
 
-    private static Path zipSlipProtect(ArchiveEntry entry, Path targetDir)
+    private static Path zipSlipProtect(String fileName, Path targetDir)
             throws IOException {
-        Path targetDirResolved = targetDir.resolve(entry.getName());
+        Path targetDirResolved = targetDir.resolve(fileName);
         /*
          * Make sure normalized file still has targetDir as its prefix,
          * else throws exception
          */
         Path normalizePath = targetDirResolved.normalize();
         if (!normalizePath.startsWith(targetDir.normalize())) {
             throw new IOException(String.format("Bad entry: %s",
-                                                entry.getName()));
+                                                fileName));
         }
         return normalizePath;
     }
@@ -220,9 +220,7 @@ public static void decompressZip(String sourceFile, String outputDir,
              ZipInputStream zis = new ZipInputStream(bis)) {
             ZipEntry entry;
             while ((entry = zis.getNextEntry()) != null) {
-                String fileName = entry.getName();
-                File entryFile = new File(Paths.get(outputDir, fileName)
-                                               .toString());
+                File entryFile = new File(zipSlipProtect(entry.getName(), Paths.get(outputDir)).toString());
                 FileUtils.forceMkdir(entryFile.getParentFile());
                 try (FileOutputStream fos = new FileOutputStream(entryFile);
                      BufferedOutputStream bos = new BufferedOutputStream(fos)) {

diff --git a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/StringEncoding.java b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/StringEncoding.java
@@ -140,7 +140,8 @@ public static String decompress(byte[] value, float bufferRatio) {
     }
 
     public static String hashPassword(String password) {
-        return BCrypt.hashpw(password, BCrypt.gensalt(4));
+        // OWASP suggest 10 as minimum and 12-14 as production default
+        return BCrypt.hashpw(password, BCrypt.gensalt(12));
     }
 
     public static boolean checkPassword(String candidatePassword, String dbPassword) {

diff --git a/...erver/hugegraph-test/src/main/java/org/apache/hugegraph/unit/util/StringEncodingTest.java b/...erver/hugegraph-test/src/main/java/org/apache/hugegraph/unit/util/StringEncodingTest.java
@@ -23,6 +23,7 @@
 import org.apache.hugegraph.util.Bytes;
 import org.apache.hugegraph.util.StringEncoding;
 import org.junit.Test;
+import org.mindrot.jbcrypt.BCrypt;
 
 public class StringEncodingTest {
 
@@ -180,4 +181,18 @@ public void testReadAsciiString() {
         buf = Bytes.fromHex("80");
         Assert.assertEquals("", StringEncoding.readAsciiString(buf, 0));
     }
+
+    @Test
+    public void testCheckPasswordSupportsOldAndNewCost() {
+        // oldWorkFactor
+        String oldPassword = BCrypt.hashpw("123456", BCrypt.gensalt(4));
+        // newWorkFactor
+        String newPassword = BCrypt.hashpw("123456", BCrypt.gensalt(12));
+
+        Assert.assertTrue(StringEncoding.checkPassword("123456", oldPassword));
+        Assert.assertTrue(StringEncoding.checkPassword("123456", newPassword));
+
+        Assert.assertFalse(StringEncoding.checkPassword("bad-pass", oldPassword));
+        Assert.assertFalse(StringEncoding.checkPassword("bad-pass", newPassword));
+    }
 }
diff --git a/hugegraph-struct/pom.xml b/hugegraph-struct/pom.xml
@@ -108,10 +108,12 @@
             <artifactId>fastutil</artifactId>
             <version>8.1.0</version>
         </dependency>
+        <!-- LZ4 version update from 1.7.1 to 1.8.1. For details on the specific changes, please refer to:
+        https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183 -->
         <dependency>
             <groupId>org.lz4</groupId>
             <artifactId>lz4-java</artifactId>
-            <version>1.7.1</version>
+            <version>1.8.1</version>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>

diff --git a/hugegraph-struct/src/main/java/org/apache/hugegraph/util/StringEncoding.java b/hugegraph-struct/src/main/java/org/apache/hugegraph/util/StringEncoding.java
@@ -165,7 +165,8 @@ public static String decompress(byte[] value, float bufferRatio) {
     }
 
     public static String hashPassword(String password) {
-        return BCrypt.hashpw(password, BCrypt.gensalt(4));
+        // OWASP suggest 10 as minimum and 12-14 as production default
+        return BCrypt.hashpw(password, BCrypt.gensalt(12));
     }
 
     public static boolean checkPassword(String candidatePassword,

diff --git a/install-dist/release-docs/LICENSE b/install-dist/release-docs/LICENSE
@@ -651,6 +651,7 @@ The text of each license is also included in licenses/LICENSE-[project].txt.
     https://central.sonatype.com/artifact/org.lz4/lz4-java/1.4.0 -> Apache 2.0
     https://central.sonatype.com/artifact/org.lz4/lz4-java/1.7.1 -> Apache 2.0
     https://central.sonatype.com/artifact/org.lz4/lz4-java/1.8.0 -> Apache 2.0
+    https://central.sonatype.com/artifact/org.lz4/lz4-java/1.8.1 -> Apache 2.0
     https://central.sonatype.com/artifact/org.nlpcn/nlp-lang/1.7.7 -> Apache 2.0
     https://central.sonatype.com/artifact/org.objenesis/objenesis/2.6 -> Apache 2.0
     https://central.sonatype.com/artifact/org.objenesis/objenesis/3.2 -> Apache 2.0

diff --git a/install-dist/release-docs/licenses/LICENSE-lz4-java-1.8.0.txt b/install-dist/release-docs/licenses/LICENSE-lz4-java-1.8.0.txt
diff --git a/...-docs/licenses/LICENSE-lz4-java-1.7.1.txt → ...-docs/licenses/LICENSE-lz4-java-1.8.1.txt b/...-docs/licenses/LICENSE-lz4-java-1.7.1.txt → ...-docs/licenses/LICENSE-lz4-java-1.8.1.txt
diff --git a/install-dist/scripts/dependency/known-dependencies.txt b/install-dist/scripts/dependency/known-dependencies.txt
@@ -389,8 +389,7 @@ lucene-sandbox-4.7.2.jar
 lucene-sandbox-5.2.1.jar
 lucene-suggest-5.2.1.jar
 lz4-java-1.4.0.jar
-lz4-java-1.7.1.jar
-lz4-java-1.8.0.jar
+lz4-java-1.8.1.jar
 metrics-annotation-4.2.4.jar
 metrics-core-3.0.2.jar
 metrics-core-3.1.5.jar