defect
critical
#29012
Replace dependency org.lz4:lz4-java with at.yawk.lz4:lz4-java [SECURITY] CVE-2025-12183, CVE-2025-66566
The dependency org.lz4:lz4-java in v1.8.0 comes in transitively via org.apache.kafka:kafka-clients. The associated GitHub project(https://github.com/lz4/lz4-java) has been archived and it is noted in Maven Central that the artifact has been moved to at.yawk.lz4:lz4-java.
As two CVEs with a high classification have now been found, the dependency is explicitly replaced and upgraded to a current version.