CVE-2025-67721: High-Severity Out-of-Bounds Read Vulnerability Detected in io.airlift:aircompressor

A high-severity security vulnerability has been identified in io.airlift:aircompressor version 2.0.2, a Java compression library distributed through Maven. The flaw, tracked as CVE-2025-67721, carries a 7.5 severity rating and is classified as an out-of-bounds read vulnerability (CWE-125)—a memory safety issue that can potentially expose sensitive data or trigger application instability.

The detection emerged through Sonatype's OSS Index during dependency scanning, flagging the vulnerable component in the compile classpath. The aircompressor library, part of the Airlift project, provides compression utilities for Java applications and is frequently integrated into data-processing pipelines and backend systems. An out-of-bounds read occurs when software reads beyond allocated buffer boundaries, which may lead to information leakage, unexpected crashes, or, in certain contexts, more serious exploitation scenarios depending on how the library is invoked.

Development and security teams maintaining Java applications with io.airlift:aircompressor:2.0.2 as a dependency should treat this finding as a signal for immediate review. While detailed exploitability analysis for CVE-2025-67721 is still developing, the assigned severity level indicates meaningful risk. Organizations should audit their software supply chains for the affected version, monitor for patches or updated releases from the Airlift maintainers, and assess whether the library is exposed to untrusted input paths. This disclosure highlights the ongoing challenge of securing transitive dependencies in modern software ecosystems, where a single vulnerable component can propagate risk across downstream applications.