Severity: moderate Affected versions:
- Apache Log4j JSON Template Layout (org.apache.logging.log4j:log4j-layout-template-json) 2.14.0 before 2.25.4 - Apache Log4j JSON Template Layout (org.apache.logging.log4j:log4j-layout-template-json) 3.0.0-alpha1 through 3.0.0-beta3 Description: Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue. Credit: Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (finder) References: https://github.com/apache/logging-log4j2/pull/4080 https://logging.apache.org/security.html#CVE-2026-34481 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/json-template-layout.html https://logging.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-34481 Timeline: 2026-02-16: Vulnerability reported by Ap4sh and ethicxz 2026-03-10: Candidate patch internally shared by Piotr P. Karwasz 2026-03-24: Fix shared publicly by Piotr P. Karwasz as pull request #4080 2026-03-25: Fix verified by the reporter 2026-03-28: Log4j 2.25.4 released
