google
lz4-java: New project submission
I would like to submit my lz4-java fork for OSS-Fuzz.
lz4-java itself has an OSSF criticality score of only 0.56. However it is a dependency of some important OSS infrastructure, such as hadoop, spark, kafka and netty.
CVE-2025-12183 was discovered using OSS-Fuzz, but the path was very indirect: A Micronaut fuzz test was exercising a netty class (micronaut depends on netty) which in turn found the bug in lz4-java. Additional local fuzzing of lz4-java found numerous further subtle security issues that were also addressed in the CVE.
The project governance is problematic. The original maintainer was not reachable, and the lz4 organization decided to close the project. My fork is linked in the README as the community continuation of the project. That is why I am submitting my fork, not the original.
The combination of high impact (many people decompress untrusted data), poor security hardening, and demonstrated previous discoveries make an OSS-Fuzz integration sensible, even if circumstances are unusual.
I am not looking for integration awards.
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).
View this failed invocation of the CLA check for more information.
For the most up to date status, view the checks section at the bottom of the pull request.
![google-cla[bot] avatar](https://avatars.githubusercontent.com/in/42202?v=4 "Published by a pub.dev verified publisher"){kind=small}
yawkat is integrating a new project:
- Main repo: https://github.com/yawkat/lz4-java
- Criticality score: 0.37987
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}