GHSA-w35j-pv5h-q9q9

Suggest an improvement
Source
https://github.com/advisories/GHSA-w35j-pv5h-q9q9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w35j-pv5h-q9q9/GHSA-w35j-pv5h-q9q9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w35j-pv5h-q9q9
Aliases
  • CVE-2026-34481
Downstream
Related
Published
2026-04-10T18:31:18Z
Modified
2026-04-16T22:29:16.395463659Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N CVSS Calculator
Summary
Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout
Details

Apache Log4j's JsonTemplateLayout, in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records.

An attacker can exploit this issue only if both of the following conditions are met:

  • The application uses JsonTemplateLayout.
  • The application logs a MapMessage containing an attacker-controlled floating-point value.

Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.

Database specific 
{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-116"
    ],
    "github_reviewed_at": "2026-04-10T21:16:54Z",
    "nvd_published_at": "2026-04-10T16:16:31Z",
    "severity": "MODERATE"
}
References

Affected packages

Maven
org.apache.logging.log4j:log4j-layout-template-json

Package

Name
org.apache.logging.log4j:log4j-layout-template-json
View open source insights on deps.dev
Purl
pkg:maven/org.apache.logging.log4j/log4j-layout-template-json

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.14.0
Fixed
2.25.4

Affected versions

2.*
2.14.0
2.14.1
2.15.0
2.16.0
2.17.0
2.17.1
2.17.2
2.18.0
2.19.0
2.20.0
2.21.0
2.21.1
2.22.0
2.22.1
2.23.0
2.23.1
2.24.0
2.24.1
2.24.2
2.24.3
2.25.0
2.25.1
2.25.2
2.25.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w35j-pv5h-q9q9/GHSA-w35j-pv5h-q9q9.json"
org.apache.logging.log4j:log4j-layout-template-json

Package

Name
org.apache.logging.log4j:log4j-layout-template-json
View open source insights on deps.dev
Purl
pkg:maven/org.apache.logging.log4j/log4j-layout-template-json

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0-alpha1
Last affected
3.0.0-beta3

Affected versions

3.*
3.0.0-alpha1
3.0.0-beta1
3.0.0-beta2
3.0.0-beta3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w35j-pv5h-q9q9/GHSA-w35j-pv5h-q9q9.json"