Improper Output Neutralization Vulnerability in Apache Log4cxx
CVE-2025-54812

2.1LOW

Key Information:

Vendor

Apache
Status
Apache Log4cxx
Vendor
CVE Published:
22 August 2025

What is CVE-2025-54812?

An improper output neutralization vulnerability exists in Apache Log4cxx when using HTMLLayout. This issue stems from the improper escaping of logger names, allowing an attacker to inject malicious HTML or JavaScript if the name of a logger is derived from untrusted data. When the compromised logger logs a message, it can lead to Cross-Site Scripting (XSS) attacks if users subsequently open the generated HTML log file in their web browser. Users of Log4cxx should upgrade to version 1.5.0 to mitigate this vulnerability.

Affected Version(s)

Apache Log4cxx 0 < 1.5.0

References

https://logging.apache.org/security.html#CVE-2025-54812
vendor-advisory
https://github.com/apache/logging-log4cxx/pull/509
patch
https://github.com/apache/logging-log4cxx/pull/514
patch

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sovereign Tech Agency
.
CVE-2025-54812 : Improper Output Neutralization Vulnerability in Apache Log4cxx