CVE-2025-54812

CWE-1177 documents7 sources

Severity

2.1LOW

EPSS

0.3%

top 43.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Log4cxx Apache Log4cxx

Timeline

PublishedAug 22

Description

Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using HTMLLayout, logger names are not properly escaped when writing out to the HTML file. If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Javascript in order to hide information from logs or steal data from the user. In order to activate this, the following sequence must occur: * Log4cxx is configured to use HTMLLayout. * Logger name comes from an untrust…

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Packages3 packages

▶NVDapache/log4cxx< 1.5.0

▶CVEListV5apache_software_foundation/apache_log4cxx< 1.5.0

▶Debianlog4cxx< 0.11.0-2+deb11u1+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2025-54812: Improper Output Neutralization for Logs vulnerability in Apache Log4cxx↗2025-08-22

▶

GHSA

GHSA-7mpr-gcjx-jcmw: Improper Output Neutralization for Logs vulnerability in Apache Log4cxx↗2025-08-22

▶

CVEList

Apache Log4cxx: Improper HTML escaping in HTMLLayout↗2025-08-22

▶

📋Vendor Advisories

Red Hat

log4cxx: Log4cxx HTMLLayout XSS Vulnerability↗2025-08-22

▶

Debian

CVE-2025-54812: log4cxx - Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When ...↗2025

▶

Apache

Apache logging: CVE-2025-54812↗

▶