CVE-2026-34481
Received Received - Intake
Invalid JSON Output Vulnerability in Apache Log4j JsonTemplateLayout

Publication date: 2026-04-10

Last updated on: 2026-04-24

Assigner: Apache Software Foundation

Description
Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34481
EUVD
EUVD-2026-21412
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
apache log4j From 2.14.0 (inc) to 2.25.4 (exc)
apache log4j 3.0.0
apache log4j 3.0.0
apache log4j 3.0.0
apache log4j 3.0.0
apache log4j 3.0.0
apache log4j 3.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability causes Apache Log4j's JsonTemplateLayout to produce invalid JSON output when logging non-finite floating-point values (NaN, Infinity, or -Infinity), which violates RFC 8259 JSON format standards.

Because the logs may be malformed and rejected or fail to be indexed by downstream log processing systems, this can impact the integrity and availability of log data.

Since compliance standards like GDPR and HIPAA often require accurate and reliable logging for auditing and monitoring purposes, this vulnerability could hinder meeting those requirements by causing loss or rejection of critical log records.

Users are advised to upgrade to Apache Log4j version 2.25.4 or later, which fixes the issue by correctly serializing these values as JSON strings, ensuring valid JSON output and improving compliance with JSON standards.

Executive Summary

This vulnerability exists in Apache Log4j's JsonTemplateLayout up to version 2.25.3, where it produces invalid JSON output when log events contain non-finite floating-point values such as NaN, Infinity, or -Infinity. These values are not allowed by the JSON standard defined in RFC 8259.

The issue occurs because these special floating-point values are serialized without quotes, resulting in invalid JSON that can cause downstream log processing systems to reject or fail to index the affected log records.

An attacker can exploit this vulnerability only if the application uses JsonTemplateLayout and logs a MapMessage containing an attacker-controlled floating-point value.

The vulnerability was fixed in version 2.25.4 by changing the serialization to output these non-finite floating-point values as JSON strings (with quotes), thus producing valid JSON.

Impact Analysis

This vulnerability can impact you by causing downstream log processing systems to reject or fail to index log records that contain non-finite floating-point values, due to the invalid JSON output generated.

If your application uses JsonTemplateLayout and logs attacker-controlled floating-point values, an attacker could deliberately cause log entries to become malformed, potentially disrupting log analysis, monitoring, or alerting systems.

This disruption could lead to loss of important log data or delays in detecting security incidents or operational issues.

Detection Guidance

This vulnerability occurs when Apache Log4j's JsonTemplateLayout produces invalid JSON output containing non-finite floating-point values such as NaN, Infinity, or -Infinity.

To detect this vulnerability, you should check if your application uses JsonTemplateLayout and if it logs MapMessage objects containing floating-point values that could be attacker-controlled.

You can inspect your log files for invalid JSON entries that include unquoted NaN, Infinity, or -Infinity values, which violate RFC 8259.

While no specific commands are provided in the resources, a general approach could be to use command-line tools like grep or jq to search logs for these invalid values. For example:

  • grep -E 'NaN|Infinity|-Infinity' /path/to/logfile
  • jq '.' /path/to/logfile # This may fail or report errors if invalid JSON is present

If jq reports parsing errors on your JSON logs, it may indicate the presence of this vulnerability.

Mitigation Strategies

The recommended immediate mitigation is to upgrade Apache Log4j JSON Template Layout to version 2.25.4 or later.

Version 2.25.4 includes a fix that correctly serializes non-finite floating-point values as JSON strings, preventing invalid JSON output.

Until you can upgrade, consider reviewing and sanitizing any floating-point values logged via MapMessage to avoid non-finite values like NaN or Infinity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34481. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart