Improper Encoding or Escaping of Output Affecting org.apache.logging.log4j:log4j-api package, versions [2.13.1,2.25.5)[2.26.0,2.26.1)[3.0.0-alpha1,]


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.66% (48th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGAPACHELOGGINGLOG4J-17954276
  • published12 Jul 2026
  • disclosed10 Jul 2026
  • creditHimanshu Anand

Introduced: 10 Jul 2026

NewCVE-2026-49844  (opens in a new tab)
CWE-116  (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the MapMessage.asJson() method, which emits the bare NaN, Infinity, or -Infinity tokens instead of an RFC 8259-compliant representation. An attacker can emit malformed JSON that corrupts the enclosing log record or disrupts downstream log ingestion and parsing by supplying non-finite floating-point values that the application records in a logged MapMessage. Exploitation requires the application to use the message resolver of JsonTemplateLayout, or another layout relying on MapMessage.asJson(), and to log a MapMessage holding attacker-controlled floating-point values.

Note: This is a bypass of the fix for the vulnerability described in CVE-2026-34481.

CVSS Base Scores

version 4.0
version 3.1