From 54f94d81c527e33961b383a7b1cd509189b09cf4 Mon Sep 17 00:00:00 2001
From: Sanaya Gupta <sanaya.gupta@est.tech>
Date: Thu, 29 Jan 2026 10:16:44 +0000
Subject: [PATCH 1/4] [fix][sec] Exclude org.lz4:lz4-java and standardize on
 at.yawk.lz4-java to remediate CVE-2025-12183 and CVE-2025-66566

---
 pom.xml                                 | 7 +++++++
 pulsar-io/debezium/core/pom.xml         | 4 ++++
 pulsar-io/kafka-connect-adaptor/pom.xml | 4 ++++
 pulsar-io/kafka/pom.xml                 | 4 ++++
 pulsar-io/kinesis-kpl-shaded/pom.xml    | 6 ++++++
 pulsar-io/kinesis/pom.xml               | 6 ++++++
 6 files changed, 31 insertions(+)

diff --git a/pom.xml b/pom.xml
index 2a662feefbba3..a285b52211fe4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -376,6 +376,7 @@ flexible messaging model and an intuitive client API.</description>
     <commons-beanutils.version>1.11.0</commons-beanutils.version>
     <commons-configuration2.version>2.12.0</commons-configuration2.version>
     <mina-core.version>2.1.10</mina-core.version>
+    <lz4java.version>1.10.3</lz4java.version>
   </properties>
 
   <dependencyManagement>
@@ -1759,6 +1760,12 @@ flexible messaging model and an intuitive client API.</description>
           </exclusion>
         </exclusions>
       </dependency>
+
+      <dependency>
+        <groupId>at.yawk.lz4</groupId>
+        <artifactId>lz4-java</artifactId>
+        <version>${lz4java.version}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
diff --git a/pulsar-io/debezium/core/pom.xml b/pulsar-io/debezium/core/pom.xml
index 1825346ab4693..2470dfc8e8513 100644
--- a/pulsar-io/debezium/core/pom.xml
+++ b/pulsar-io/debezium/core/pom.xml
@@ -85,6 +85,10 @@
           <groupId>org.eclipse.jetty</groupId>
           <artifactId>*</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>org.lz4</groupId>
+          <artifactId>lz4-java</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
diff --git a/pulsar-io/kafka-connect-adaptor/pom.xml b/pulsar-io/kafka-connect-adaptor/pom.xml
index 787f65124fdc2..3b125330b025c 100644
--- a/pulsar-io/kafka-connect-adaptor/pom.xml
+++ b/pulsar-io/kafka-connect-adaptor/pom.xml
@@ -89,6 +89,10 @@
           <artifactId>jose4j</artifactId>
           <groupId>org.bitbucket.b_c</groupId>
         </exclusion>
+        <exclusion>
+          <groupId>org.lz4</groupId>
+          <artifactId>lz4-java</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
diff --git a/pulsar-io/kafka/pom.xml b/pulsar-io/kafka/pom.xml
index e671ca3380455..6c70979b5b253 100644
--- a/pulsar-io/kafka/pom.xml
+++ b/pulsar-io/kafka/pom.xml
@@ -84,6 +84,10 @@
           <artifactId>jose4j</artifactId>
           <groupId>org.bitbucket.b_c</groupId>
         </exclusion>
+        <exclusion>
+          <groupId>org.lz4</groupId>
+          <artifactId>lz4-java</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
diff --git a/pulsar-io/kinesis-kpl-shaded/pom.xml b/pulsar-io/kinesis-kpl-shaded/pom.xml
index d2fafb13e48dc..b6b2a969a1370 100644
--- a/pulsar-io/kinesis-kpl-shaded/pom.xml
+++ b/pulsar-io/kinesis-kpl-shaded/pom.xml
@@ -58,6 +58,12 @@
         <groupId>org.apache.kafka</groupId>
         <artifactId>kafka-clients</artifactId>
         <version>${kafka-client.version}</version>
+        <exclusions>
+          <exclusion>
+            <groupId>org.lz4</groupId>
+            <artifactId>lz4-java</artifactId>
+          </exclusion>
+        </exclusions>
       </dependency>
     </dependencies>
   </dependencyManagement>
diff --git a/pulsar-io/kinesis/pom.xml b/pulsar-io/kinesis/pom.xml
index 942ecc672f914..137a3102906ba 100644
--- a/pulsar-io/kinesis/pom.xml
+++ b/pulsar-io/kinesis/pom.xml
@@ -44,6 +44,12 @@
         <groupId>org.apache.kafka</groupId>
         <artifactId>kafka-clients</artifactId>
         <version>${kafka-client.version}</version>
+        <exclusions>
+          <exclusion>
+            <groupId>org.lz4</groupId>
+            <artifactId>lz4-java</artifactId>
+          </exclusion>
+        </exclusions>
       </dependency>
     </dependencies>
   </dependencyManagement>

From 59be8ed0b5ebe2659a1e62d20f4a0e753e8acbad Mon Sep 17 00:00:00 2001
From: Sanaya Gupta <sanaya.gupta@est.tech>
Date: Thu, 29 Jan 2026 13:40:44 +0000
Subject: [PATCH 2/4] [fix][sec] Exclude org.lz4:lz4-java and standardize on
 at.yawk.lz4-java to remediate CVE-2025-12183 and CVE-2025-66566

---
 distribution/server/src/assemble/LICENSE.bin.txt | 2 +-
 pulsar-common/pom.xml                            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
index e5451487a6018..94117eeec1bcf 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -382,7 +382,7 @@ The Apache Software License, Version 2.0
     - org.apache.bookkeeper-bookkeeper-slogger-api-4.17.3.jar
     - org.apache.bookkeeper-bookkeeper-slogger-slf4j-4.17.3.jar
     - org.apache.bookkeeper-native-io-4.17.3.jar
-    - at.yawk.lz4-lz4-java-1.10.2.jar
+    - at.yawk.lz4-lz4-java-1.10.3.jar
   * Apache HTTP Client
     - org.apache.httpcomponents-httpclient-4.5.13.jar
     - org.apache.httpcomponents-httpcore-4.4.15.jar
diff --git a/pulsar-common/pom.xml b/pulsar-common/pom.xml
index bce1e4c7b34f5..84530582a4f48 100644
--- a/pulsar-common/pom.xml
+++ b/pulsar-common/pom.xml
@@ -261,7 +261,7 @@
     <dependency>
       <groupId>at.yawk.lz4</groupId>
       <artifactId>lz4-java</artifactId>
-      <version>1.10.1</version>
+      <version>1.10.3</version>
       <scope>test</scope>
     </dependency>
 

From 8587ae850580067f5f45582e0de40bfbdf4f783a Mon Sep 17 00:00:00 2001
From: Sanaya Gupta <sanaya.gupta@est.tech>
Date: Thu, 29 Jan 2026 13:51:11 +0000
Subject: [PATCH 3/4] [fix][sec] Exclude org.lz4:lz4-java and standardize on
 at.yawk.lz4-java to remediate CVE-2025-12183 and CVE-2025-66566

---
 pulsar-common/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pulsar-common/pom.xml b/pulsar-common/pom.xml
index 84530582a4f48..aa72da8a4cb40 100644
--- a/pulsar-common/pom.xml
+++ b/pulsar-common/pom.xml
@@ -261,7 +261,7 @@
     <dependency>
       <groupId>at.yawk.lz4</groupId>
       <artifactId>lz4-java</artifactId>
-      <version>1.10.3</version>
+      <version>1.10.2</version>
       <scope>test</scope>
     </dependency>
 

From b7fb101985c24a6a0b204f1242b2e8e92995daf6 Mon Sep 17 00:00:00 2001
From: Sanaya Gupta <sanaya.gupta@est.tech>
Date: Thu, 29 Jan 2026 13:54:41 +0000
Subject: [PATCH 4/4] [fix][sec] Exclude org.lz4:lz4-java and standardize on
 at.yawk.lz4-java to remediate CVE-2025-12183 and CVE-2025-66566

---
 pulsar-common/pom.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pulsar-common/pom.xml b/pulsar-common/pom.xml
index aa72da8a4cb40..09e42ff618828 100644
--- a/pulsar-common/pom.xml
+++ b/pulsar-common/pom.xml
@@ -261,7 +261,6 @@
     <dependency>
       <groupId>at.yawk.lz4</groupId>
       <artifactId>lz4-java</artifactId>
-      <version>1.10.2</version>
       <scope>test</scope>
     </dependency>