CVE-2026-49844
Received Received - Intake

Improper JSON Encoding of Non-Finite Values in Apache Log4j API

Vulnerability report for CVE-2026-49844, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: Apache Software Foundation

Description

Improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API produces output that is not valid JSON. This issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version 2.26.0. The fix for CVE-2026-34481 did not cover all code paths: when a MapMessage contains a non-finite IEEE 754 value (NaN, Infinity, or -Infinity), MapMessage.asJson() emits the corresponding bare token. RFC 8259 does not permit these tokens, so a conformant parser rejects the resulting document. The defect is reachable only when both of the following conditions hold: * The application uses the message resolver https://logging.apache.org/log4j/2.x/manual/json-template-layout.html#event-template-resolver-message of JsonTemplateLayout or any other layout that relies on MapMessage.asJson() or MapMessage.getFormattedMessage(new String[]{"JSON"}). * The application logs a MapMessage that contains an attacker-controlled floating-point value. An attacker who can supply a non-finite value can cause the affected layout to emit malformed JSON, which may corrupt the enclosing log record or disrupt downstream log ingestion and parsing. Users are advised to upgrade to Apache Log4j API 2.25.5 or 2.26.1, both of which emit RFC 8259-compliant JSON for non-finite values.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
apache log4j_api From 2.13.1 (inc) to 2.25.4 (inc)
apache log4j_api 2.26.0
apache log4j_api 2.25.5
apache log4j_api 2.26.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Apache Log4j API versions 2.13.1 through 2.25.4 and version 2.26.0, where non-finite floating-point values (such as NaN, Infinity, or -Infinity) are improperly encoded during MapMessage JSON serialization.

When a MapMessage contains these non-finite values, the method MapMessage.asJson() outputs bare tokens representing these values, which are not valid according to the JSON standard (RFC 8259). As a result, JSON parsers that follow the standard reject the malformed JSON.

This issue arises only if the application uses a message resolver that relies on MapMessage.asJson() or MapMessage.getFormattedMessage with JSON formatting, and if the application logs a MapMessage containing an attacker-controlled floating-point value.

Impact Analysis

An attacker who can supply a non-finite floating-point value can cause the affected logging layout to emit malformed JSON.

This malformed JSON can corrupt the enclosing log record or disrupt downstream log ingestion and parsing processes.

Mitigation Strategies

To mitigate this vulnerability, users are advised to upgrade to Apache Log4j API version 2.25.5 or 2.26.1, which emit RFC 8259-compliant JSON for non-finite floating-point values.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49844. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart