Improper Output Neutralization for Logs Affecting log4cxx package, versions [,1.5.0)


Severity

Recommended
0.0
low
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.09% (28th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Output Neutralization for Logs vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-CONAN-LOG4CXX-12179275
  • published25 Aug 2025
  • disclosed22 Aug 2025
  • creditUnknown

Introduced: 22 Aug 2025

NewCVE-2025-54812  (opens in a new tab)
CWE-117  (opens in a new tab)

How to fix?

Upgrade log4cxx to version 1.5.0 or higher.

Overview

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs in the HTMLLayout class. An attacker can execute arbitrary HTML or JavaScript code by injecting malicious content into the logger name, which is then written to the HTML log file and subsequently opened in a user's browser.

Note:

This is only exploitable if the logger name is derived from untrusted input, Log4cxx is configured to use HTMLLayout, and a user opens the generated HTML log file in a browser.

CVSS Base Scores

version 4.0
version 3.1