org.apache.logging.log4j:log4j-core 3.0.0-beta1

Direct Vulnerabilities

Known vulnerabilities in the org.apache.logging.log4j:log4j-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Improper Encoding or Escaping of Output org.apache.logging.log4j:log4j-core is a logging library for Java. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the Log4j1XmlLayout plugin. An attacker can cause log events to be silently lost or downstream log processing systems to drop or fail to index affected records by introducing XML 1.0 forbidden characters into log messages, resulting in malformed XML output that conforming XML parsers reject with a fatal error. How to fix Improper Encoding or Escaping of Output? A fix was pushed into the `master` branch but not yet published.	[2.7,2.25.4)[3.0.0-alpha1,)
M Improper Encoding or Escaping of Output org.apache.logging.log4j:log4j-core is a logging library for Java. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the XmlLayout plugin. An attacker can cause log events to be silently lost or malformed by injecting XML 1.0 forbidden characters into log messages or MDC values. This may result in malformed XML output, which can cause downstream log-processing systems to drop affected records or prevent log events from being delivered to their intended destinations. How to fix Improper Encoding or Escaping of Output? A fix was pushed into the `master` branch but not yet published.	[2.0-alpha1,2.25.4)[3.0.0-alpha1,)
M Improper Output Neutralization for Logs org.apache.logging.log4j:log4j-core is a logging library for Java. Affected versions of this package are vulnerable to Improper Output Neutralization for Logs in the `Rfc5424Layout` plugin due to `newLineEscape` and `useTlsMessageFormat` configuration attributes being silently renamed, leading to improper handling of newline escaping for TCP framing and incorrect message formatting for TLS framing. An attacker can inject arbitrary log entries by supplying crafted CRLF sequences in log messages, potentially manipulating log output or bypassing log-based security controls. Note: This is only exploitable if the `Rfc5424Layout` is configured directly with affected attributes in stream-based syslog services. Users of the SyslogAppender are not affected, as its configuration attributes were not modified. How to fix Improper Output Neutralization for Logs? A fix was pushed into the `master` branch but not yet published.	[2.21.0,2.25.4)[3.0.0-beta1,)
M Improper Validation of Certificate with Host Mismatch org.apache.logging.log4j:log4j-core is a logging library for Java. Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch due to the lack of TLS hostname verification in the SocketAppender component when configured through the `verifyHostName` attribute of the `<Ssl>` element. An attacker can intercept and manipulate network traffic by presenting a certificate issued by a trusted certificate authority to the appender's configured trust store, or the default Java trust store if none is configured. This is only exploitable if an SMTP, Socket, or Syslog appender is in use and TLS is configured via a nested element. Note: This issue is due to incomplete fix for CVE-2025-68161. How to fix Improper Validation of Certificate with Host Mismatch? A fix was pushed into the `master` branch but not yet published.	[2.12.0,2.25.4)[3.0.0-alpha1,)

Vulnerability

Vulnerable Version

Improper Encoding or Escaping of Output

org.apache.logging.log4j:log4j-core is a logging library for Java.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the Log4j1XmlLayout plugin. An attacker can cause log events to be silently lost or downstream log processing systems to drop or fail to index affected records by introducing XML 1.0 forbidden characters into log messages, resulting in malformed XML output that conforming XML parsers reject with a fatal error.

How to fix Improper Encoding or Escaping of Output?

A fix was pushed into the master branch but not yet published.

[2.7,2.25.4)[3.0.0-alpha1,)

Improper Encoding or Escaping of Output

org.apache.logging.log4j:log4j-core is a logging library for Java.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the XmlLayout plugin. An attacker can cause log events to be silently lost or malformed by injecting XML 1.0 forbidden characters into log messages or MDC values. This may result in malformed XML output, which can cause downstream log-processing systems to drop affected records or prevent log events from being delivered to their intended destinations.

How to fix Improper Encoding or Escaping of Output?

A fix was pushed into the master branch but not yet published.

[2.0-alpha1,2.25.4)[3.0.0-alpha1,)

Improper Output Neutralization for Logs

org.apache.logging.log4j:log4j-core is a logging library for Java.

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs in the Rfc5424Layout plugin due to newLineEscape and useTlsMessageFormat configuration attributes being silently renamed, leading to improper handling of newline escaping for TCP framing and incorrect message formatting for TLS framing. An attacker can inject arbitrary log entries by supplying crafted CRLF sequences in log messages, potentially manipulating log output or bypassing log-based security controls.

Note:

This is only exploitable if the Rfc5424Layout is configured directly with affected attributes in stream-based syslog services.

Users of the SyslogAppender are not affected, as its configuration attributes were not modified.

How to fix Improper Output Neutralization for Logs?

A fix was pushed into the master branch but not yet published.

[2.21.0,2.25.4)[3.0.0-beta1,)

Improper Validation of Certificate with Host Mismatch

org.apache.logging.log4j:log4j-core is a logging library for Java.

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch due to the lack of TLS hostname verification in the SocketAppender component when configured through the verifyHostName attribute of the <Ssl> element. An attacker can intercept and manipulate network traffic by presenting a certificate issued by a trusted certificate authority to the appender's configured trust store, or the default Java trust store if none is configured. This is only exploitable if an SMTP, Socket, or Syslog appender is in use and TLS is configured via a nested element.

Note:

This issue is due to incomplete fix for CVE-2025-68161.

How to fix Improper Validation of Certificate with Host Mismatch?

A fix was pushed into the master branch but not yet published.

[2.12.0,2.25.4)[3.0.0-alpha1,)

org.apache.logging.log4j:log4j-core@3.0.0-beta1

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically