fix(security): Override vulnerable lz4-java dependency to address CVE-2025-12183

sumi-mathew · sumi-mathew · commit 3a1b832dfc7c · 2026-02-25T16:44:34.000+05:30
diff --git a/pom.xml b/pom.xml
@@ -2071,6 +2071,12 @@
                 </exclusions>
             </dependency>
 
+            <dependency>
+                <groupId>at.yawk.lz4</groupId>
+                <artifactId>lz4-java</artifactId>
+                <version>1.10.2</version>
+            </dependency>
+
             <dependency>
                 <groupId>org.apache.httpcomponents</groupId>
                 <artifactId>httpclient</artifactId>
diff --git a/presto-druid/pom.xml b/presto-druid/pom.xml
@@ -44,7 +44,6 @@
             <dependency>
                 <groupId>at.yawk.lz4</groupId>
                 <artifactId>lz4-java</artifactId>
-                <version>1.10.2</version>
             </dependency>
             <dependency>
                 <groupId>org.mozilla</groupId>
diff --git a/presto-kafka/pom.xml b/presto-kafka/pom.xml
@@ -72,6 +72,19 @@
         <dependency>
             <groupId>org.apache.kafka</groupId>
             <artifactId>kafka-clients</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.lz4</groupId>
+                    <artifactId>lz4-java</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
+        <!-- CVE-2025-12183: Override vulnerable lz4-java from kafka-clients -->
+        <dependency>
+            <groupId>at.yawk.lz4</groupId>
+            <artifactId>lz4-java</artifactId>
+            <scope>runtime</scope>
         </dependency>
 
         <dependency>
diff --git a/presto-pinot-toolkit/pom.xml b/presto-pinot-toolkit/pom.xml
@@ -119,7 +119,6 @@
         <dependency>
             <groupId>at.yawk.lz4</groupId>
             <artifactId>lz4-java</artifactId>
-            <version>1.10.2</version>
             <scope>runtime</scope>
         </dependency>
 
