Home

Description

Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.

PUBLISHED Reserved 2026-03-28 | Published 2026-04-10 | Updated 2026-04-10 | Assigner apache




MEDIUM: 6.3CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Problem types

CWE-116 Improper Encoding or Escaping of Output

Product status

Default status
unaffected

2.14.0 (maven) before 2.25.4
affected

3.0.0-alpha1 (maven)
affected

Timeline

2026-02-16:Vulnerability reported by Ap4sh and ethicxz
2026-03-10:Candidate patch internally shared by Piotr P. Karwasz
2026-03-24:Fix shared publicly by Piotr P. Karwasz as pull request #4080
2026-03-25:Fix verified by the reporter
2026-03-28:Log4j 2.25.4 released

Credits

Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) finder

References

www.openwall.com/lists/oss-security/2026/04/10/10

github.com/apache/logging-log4j2/pull/4080 patch

logging.apache.org/security.html vendor-advisory

logging.apache.org/cyclonedx/vdr.xml vendor-advisory

logging.apache.org/...j/2.x/manual/json-template-layout.html related

lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv vendor-advisory

cve.org (CVE-2026-34481)

nvd.nist.gov (CVE-2026-34481)

Download JSON