CVE-2026-34481
Invalid JSON Output Vulnerability in Apache Log4j JsonTemplateLayout
Publication date: 2026-04-10
Last updated on: 2026-04-24
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | log4j | From 2.14.0 (inc) to 2.25.4 (exc) |
| apache | log4j | 3.0.0 |
| apache | log4j | 3.0.0 |
| apache | log4j | 3.0.0 |
| apache | log4j | 3.0.0 |
| apache | log4j | 3.0.0 |
| apache | log4j | 3.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes Apache Log4j's JsonTemplateLayout to produce invalid JSON output when logging non-finite floating-point values (NaN, Infinity, or -Infinity), which violates RFC 8259 JSON format standards.
Because the logs may be malformed and rejected or fail to be indexed by downstream log processing systems, this can impact the integrity and availability of log data.
Since compliance standards like GDPR and HIPAA often require accurate and reliable logging for auditing and monitoring purposes, this vulnerability could hinder meeting those requirements by causing loss or rejection of critical log records.
Users are advised to upgrade to Apache Log4j version 2.25.4 or later, which fixes the issue by correctly serializing these values as JSON strings, ensuring valid JSON output and improving compliance with JSON standards.
Can you explain this vulnerability to me?
This vulnerability exists in Apache Log4j's JsonTemplateLayout up to version 2.25.3, where it produces invalid JSON output when log events contain non-finite floating-point values such as NaN, Infinity, or -Infinity. These values are not allowed by the JSON standard defined in RFC 8259.
The issue occurs because these special floating-point values are serialized without quotes, resulting in invalid JSON that can cause downstream log processing systems to reject or fail to index the affected log records.
An attacker can exploit this vulnerability only if the application uses JsonTemplateLayout and logs a MapMessage containing an attacker-controlled floating-point value.
The vulnerability was fixed in version 2.25.4 by changing the serialization to output these non-finite floating-point values as JSON strings (with quotes), thus producing valid JSON.
How can this vulnerability impact me? :
This vulnerability can impact you by causing downstream log processing systems to reject or fail to index log records that contain non-finite floating-point values, due to the invalid JSON output generated.
If your application uses JsonTemplateLayout and logs attacker-controlled floating-point values, an attacker could deliberately cause log entries to become malformed, potentially disrupting log analysis, monitoring, or alerting systems.
This disruption could lead to loss of important log data or delays in detecting security incidents or operational issues.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when Apache Log4j's JsonTemplateLayout produces invalid JSON output containing non-finite floating-point values such as NaN, Infinity, or -Infinity.
To detect this vulnerability, you should check if your application uses JsonTemplateLayout and if it logs MapMessage objects containing floating-point values that could be attacker-controlled.
You can inspect your log files for invalid JSON entries that include unquoted NaN, Infinity, or -Infinity values, which violate RFC 8259.
While no specific commands are provided in the resources, a general approach could be to use command-line tools like grep or jq to search logs for these invalid values. For example:
- grep -E 'NaN|Infinity|-Infinity' /path/to/logfile
- jq '.' /path/to/logfile # This may fail or report errors if invalid JSON is present
If jq reports parsing errors on your JSON logs, it may indicate the presence of this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to upgrade Apache Log4j JSON Template Layout to version 2.25.4 or later.
Version 2.25.4 includes a fix that correctly serializes non-finite floating-point values as JSON strings, preventing invalid JSON output.
Until you can upgrade, consider reviewing and sanitizing any floating-point values logged via MapMessage to avoid non-finite values like NaN or Infinity.