Improper Output Neutralization for Logs vulnerability in Apache Log4cxx.

When using JSONLayout, not all payload bytes are properly escaped. If an attacker-supplied message contains certain non-printable characters, these will be passed along in the message and written out as part of the JSON message. This may prevent applications that consume these logs from correctly interpreting the information within them.

This issue affects Apache Log4cxx: before 1.5.0.

Users are recommended to upgrade to version 1.5.0, which fixes the issue.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Fri, 05 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 26 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:log4cxx:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}


Sat, 23 Aug 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache log4cxx
Vendors & Products Apache
Apache log4cxx

Fri, 22 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 22 Aug 2025 19:00:00 +0000

Type Values Removed Values Added
Description Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using JSONLayout, not all payload bytes are properly escaped. If an attacker-supplied message contains certain non-printable characters, these will be passed along in the message and written out as part of the JSON message. This may prevent applications that consume these logs from correctly interpreting the information within them. This issue affects Apache Log4cxx: before 1.5.0. Users are recommended to upgrade to version 1.5.0, which fixes the issue.
Title Apache Log4cxx: Improper escaping with JSONLayout
Weaknesses CWE-117
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2025-08-22T19:05:49.161Z

Reserved: 2025-07-30T01:20:34.786Z

Link: CVE-2025-54813

cve-icon Vulnrichment

Updated: 2025-08-22T19:05:43.288Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-22T19:15:40.003

Modified: 2025-08-26T21:16:19.213

Link: CVE-2025-54813

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-08-22T18:45:42Z

Links: CVE-2025-54813 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2025-08-23T10:54:59Z