7.5

CVE-2026-34481

Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout

Apache Log4j's  JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records.

An attacker can exploit this issue only if both of the following conditions are met:

  *  The application uses JsonTemplateLayout.
  *  The application logs a MapMessage containing an attacker-controlled floating-point value.


Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheLog4j Version >= 2.14.0 < 2.25.4
ApacheLog4j Version3.0.0 Updatealpha1
ApacheLog4j Version3.0.0 Updatealpha1_rc1
ApacheLog4j Version3.0.0 Updatealpha1_rc2
ApacheLog4j Version3.0.0 Updatebeta1
ApacheLog4j Version3.0.0 Updatebeta2
ApacheLog4j Version3.0.0 Updatebeta3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.56% 0.418
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
security@apache.org 6.3 0 0
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

https://logging.apache.org/cyclonedx/vdr.xml
Product
https://github.com/apache/logging-log4j2/pull/4080
Issue Tracking
https://logging.apache.org/security.html#CVE-2026-34481
Vendor Advisory
https://logging.apache.org/log4j/2.x/manual/json-template-layout.html
Technical Description
https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv
Vendor Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2026/04/10/10
Third Party Advisory
Mailing List