TLS Hostname Verification Flaw in Apache Log4j Core
CVE-2025-68161

6.3MEDIUM

Key Information:

Vendor

Apache
Status
Apache Log4j Core
Vendor
CVE Published:
18 December 2025

What is CVE-2025-68161?

The Socket Appender in Apache Log4j Core, specifically in versions from 2.0-beta9 to 2.25.2, has a vulnerability where it fails to perform TLS hostname verification of the peer certificate. This occurs regardless of the verifyHostName configuration attribute or log4j2.sslVerifyHostName system property being set to true. This oversight can expose log traffic to interception or redirection by a man-in-the-middle attacker capable of intercepting network traffic between the client and log receiver. The attacker can exploit this flaw by presenting a legitimate server certificate from a trusted certification authority, allowing them to potentially gain unauthorized access to sensitive log data. To mitigate this risk, users are strongly encouraged to upgrade to Apache Log4j Core version 2.25.3 or configure the Socket Appender to utilize a restricted trust root for enhanced security.

Affected Version(s)

Apache Log4j Core 2.0-beta9 < 2.25.3

References

https://github.com/apache/logging-log4j2/pull/4002
patch
https://logging.apache.org/security.html#CVE-2025-68161
vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml
vendor-advisory

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Samuli Leinonen
JSON
.
CVE-2025-68161 : TLS Hostname Verification Flaw in Apache Log4j Core