CVE-2025-54813
BaseFortify
Publication date: 2025-08-22
Last updated on: 2025-11-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | log4cxx | to 1.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-117 | The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Improper Output Neutralization for Logs issue in Apache Log4cxx when using JSONLayout. Specifically, not all payload bytes are properly escaped, so if an attacker supplies a message containing certain non-printable characters, these characters are included in the JSON log output. This can cause applications that consume these logs to misinterpret the log information.
How can this vulnerability impact me? :
The vulnerability can impact you by causing applications that process the logs to incorrectly interpret the log data due to unescaped non-printable characters. This may lead to incorrect logging behavior, potential confusion in log analysis, or issues in systems relying on accurate log data for monitoring or security purposes.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade Apache Log4cxx to version 1.5.0 or later, which fixes the issue.