Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout
Summary
| CVE | CVE-2026-34481 |
|---|---|
| State | PUBLISHED |
| Assigner | apache |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-10 16:16:31 UTC |
| Updated | 2026-04-13 15:02:06 UTC |
| Description | Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue. |
Risk And Classification
Primary CVSS: v4.0 6.3 MEDIUM from [email protected]
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.001190000 probability, percentile 0.308590000 (date 2026-04-15)
Problem Types: CWE-116 | CWE-116 CWE-116 Improper Encoding or Escaping of Output
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 6.3 | MEDIUM | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 6.3 | MEDIUM | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
HighAttack Requirements
PresentPrivileges Required
NoneUser Interaction
NoneConfidentiality
NoneIntegrity
NoneAvailability
NoneSub Conf.
NoneSub Integrity
LowSub Availability
NoneCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Apache Software Foundation | Apache Log4j JSON Template Layout | affected 2.14.0 2.25.4 maven | Not specified |
| CNA | Apache Software Foundation | Apache Log4j JSON Template Layout | affected 3.0.0-alpha1 3.0.0-beta3 maven | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| logging.apache.org/security.html | [email protected] | logging.apache.org | |
| logging.apache.org/log4j/2.x/manual/json-template-layout.html | [email protected] | logging.apache.org | |
| logging.apache.org/cyclonedx/vdr.xml | [email protected] | logging.apache.org | |
| github.com/apache/logging-log4j2/pull/4080 | [email protected] | github.com | |
| www.openwall.com/lists/oss-security/2026/04/10/10 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv | [email protected] | lists.apache.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-02-16T18:14:00.000Z | Vulnerability reported by Ap4sh and ethicxz |
| CNA | 2026-03-10T20:42:00.000Z | Candidate patch internally shared by Piotr P. Karwasz |
| CNA | 2026-03-24T23:06:00.000Z | Fix shared publicly by Piotr P. Karwasz as pull request #4080 |
| CNA | 2026-03-25T09:54:00.000Z | Fix verified by the reporter |
| CNA | 2026-03-28T11:19:00.000Z | Log4j 2.25.4 released |
There are currently no legacy QID mappings associated with this CVE.