There is a vulnerability in LZO implementation discovered recently.
The only network available VyOS components (to my knowledge) where it’s used are IPsec and OpenVPN that use it for data compression. Compression is performed before encryption, so this is probably not exploitable for a man in the middle. If you are dealing with untrusted remove side of the VPN, probably better to turn compression off.
We will look into providing a hotfix for it for 1.0.4