CVE-2025-54812
BaseFortify
Publication date: 2025-08-22
Last updated on: 2025-11-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | log4cxx | to 1.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-117 | The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Improper Output Neutralization for Logs issue in Apache Log4cxx when using HTMLLayout. Logger names are not properly escaped in the HTML log files, so if an attacker can control the logger name (which comes from untrusted data), they could inject malicious HTML or JavaScript. This could allow hiding information in logs or stealing data when a user opens the HTML log file in a browser.
How can this vulnerability impact me? :
The impact is considered low because logger names are generally constant strings, making exploitation less likely. However, if exploited, it could lead to cross-site scripting (XSS) attacks when viewing HTML log files, potentially allowing attackers to hide log information or steal data from users.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade Apache Log4cxx to version 1.5.0 or later, which fixes the issue. Additionally, avoid using HTMLLayout with logger names derived from untrusted input to prevent potential XSS attacks.