fix(security): Override vulnerable lz4-java dependency to address CVE-2025-12183

sumi-mathew · sumi-mathew · commit 33998abbcaa2 · 2026-02-25T15:38:24.000+05:30
diff --git a/presto-kafka/pom.xml b/presto-kafka/pom.xml
@@ -72,6 +72,20 @@
         <dependency>
             <groupId>org.apache.kafka</groupId>
             <artifactId>kafka-clients</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.lz4</groupId>
+                    <artifactId>lz4-java</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
+        <!-- CVE-2025-12183: Override vulnerable lz4-java from kafka-clients -->
+        <dependency>
+            <groupId>at.yawk.lz4</groupId>
+            <artifactId>lz4-java</artifactId>
+            <version>1.10.2</version>
+            <scope>runtime</scope>
         </dependency>
 
         <dependency>
