2390431 – (CVE-2025-54813) CVE-2025-54813 apache-log4cxx: Log4cxx: Improper JSON Output Neutralization

Bug 2390431 (CVE-2025-54813) - CVE-2025-54813 apache-log4cxx: Log4cxx: Improper JSON Output Neutralization

Summary: CVE-2025-54813 apache-log4cxx: Log4cxx: Improper JSON Output Neutralization

Keywords:
Status:	NEW
Alias:	CVE-2025-54813
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2393130 2393129 2393131 2393132 2393133
Blocks:
TreeView+	depends on / blocked

Reported:	2025-08-22 19:01 UTC by OSIDB Bzimport
Modified:	2025-09-05 15:06 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-08-22 19:01:39 UTC

Improper Output Neutralization for Logs vulnerability in Apache Log4cxx.

When using JSONLayout, not all payload bytes are properly escaped. If an attacker-supplied message contains certain non-printable characters, these will be passed along in the message and written out as part of the JSON message. This may prevent applications that consume these logs from correctly interpreting the information within them.

This issue affects Apache Log4cxx: before 1.5.0.

Users are recommended to upgrade to version 1.5.0, which fixes the issue.

Note You need to log in before you can comment on or make changes to this bug.