Out-of-bounds Read Affecting spark-4.0-scala-2.13-compat package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-MINIMOSLATEST-SPARK40SCALA213COMPAT-15286015
- published17 Feb 2026
- disclosed12 Dec 2025
Introduced: 12 Dec 2025
CVE-2025-67721 (opens in a new tab)How to fix?
There is no fixed version for Minimos:latest spark-4.0-scala-2.13-compat.
NVD Description
Note: Versions mentioned in the description apply only to the upstream spark-4.0-scala-2.13-compat package and not the spark-4.0-scala-2.13-compat package as distributed by Minimos.
See How to fix? for Minimos:latest relevant fixed versions and status.
Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via crafted compressed input. With certain crafted compressed inputs, elements from the output buffer can end up in the uncompressed output, potentially leaking sensitive data. This is relevant for applications that reuse the same output buffer to uncompress multiple inputs. This can be the case of a web server that allocates a fix-sized buffer for performance purposes. There is similar vulnerability in GHSA-cmp6-m4wj-q63q. This issue is fixed in version 3.4.
References
- https://www.cve.org/CVERecord?id=CVE-2025-67721
- https://github.com/advisories/GHSA-vx9q-rhv9-3jvg
- https://osv.dev/vulnerability/MINI-gvcr-xhm7-h95m
- https://osv.dev/vulnerability/CVE-2025-67721
- https://github.com/airlift/aircompressor/commit/f2b489b398779b40c1ee29ddb11d7edef54ddc15
- https://github.com/airlift/aircompressor/commit/ff12c4d5757c9d6d1de3d39a10402f1f84f9b765
- https://github.com/airlift/aircompressor/security/advisories/GHSA-vx9q-rhv9-3jvg