Question about handling io.airlift:aircompressor vulnerability

[kontotto]

Summary

There is a reported security vulnerability in io.airlift:aircompressor, which is used as a dependency in Apache Pulsar.

• CVE: https://www.cve.org/CVERecord?id=CVE-2025-67721
• Affected dependency version in Pulsar:
  

  pulsar/pom.xml

  Line 263 in 1fcdf8b

  <aircompressor.version>0.27</aircompressor.version>

Background

This vulnerability appears to be fixed in io.airlift:aircompressor version 3.4.x and later.
However, the 3.x series requires Java 22 or later, which may make a straightforward upgrade challenging given Apache Pulsar’s supported Java versions.

On the other hand, the 0.x and 2.x series support Java 8 and later, which aligns better with Pulsar’s current Java compatibility policy.

In addition, the maintenance activity of io.airlift:aircompressor seems relatively low, which raises concerns from a long-term security perspective.

Possible Approaches

From an external user’s point of view, the following options seem possible:

• Evaluate upgrading to aircompressor 3.x, taking the Java version requirements into account
• Consider replacing aircompressor with an alternative library, given its maintenance status
• Apply a backport fix to the Java 8–compatible 0.x or 2.x series (the 2.x series appears to have relatively small code differences from 0.x), and then update the dependency

Question

Could you please share the current or planned approach for handling this vulnerability in Apache Pulsar,
including how the Java version requirements are being considered?

[lhotari]

I created #25139 based on this. Thanks for reporting the issue.