PT-2026-57319 · Apache · Log4J Api
Himanshu Anand
·
Published
2026-07-10
·
Updated
2026-07-11
·
CVE-2026-49844
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Apache Log4j API versions 2.13.1 through 2.25.4
Apache Log4j API version 2.26.0
Description
Improper encoding of non-finite IEEE 754 floating-point values (NaN, Infinity, or -Infinity) during MapMessage JSON serialization produces output that is not valid JSON. This occurs when
MapMessage.asJson() or MapMessage.getFormattedMessage(new String[]{"JSON"}) is used, as they emit bare tokens not permitted by RFC 8259. The issue is reachable if an application uses the event template resolver of JsonTemplateLayout or any other layout relying on these methods and logs a MapMessage containing an attacker-controlled floating-point value. This can result in malformed JSON, potentially corrupting log records or disrupting downstream log ingestion and parsing.Recommendations
For versions 2.13.1 through 2.25.4, upgrade to Apache Log4j API 2.25.5.
For version 2.26.0, upgrade to Apache Log4j API 2.26.1.
Fix
Improper Encoding or Escaping of Output
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Log4J Api