fix: add lz4-java dependency to address CVE-2025-12183

bol444 · bol444 · commit 8a00366ca85c · 2025-12-04T16:16:00.000-05:00
diff --git a/service/application/pom.xml b/service/application/pom.xml
@@ -39,6 +39,12 @@
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
+            <!-- Fix CVE-2025-12183: Out-of-bounds memory operations in lz4-java -->
+            <dependency>
+                <groupId>org.lz4</groupId>
+                <artifactId>lz4-java</artifactId>
+                <version>1.8.1</version>
+            </dependency>
             <dependency>
                 <groupId>com.fasterxml.jackson</groupId>
                 <artifactId>jackson-bom</artifactId>
diff --git a/service/pom.xml b/service/pom.xml
@@ -54,6 +54,12 @@
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
+            <!-- Fix CVE-2025-12183: Out-of-bounds memory operations in lz4-java -->
+            <dependency>
+                <groupId>org.lz4</groupId>
+                <artifactId>lz4-java</artifactId>
+                <version>1.8.1</version>
+            </dependency>
             <!-- logback/logstash integration -->
             <dependency>
                 <groupId>net.logstash.logback</groupId>
