CVE-2025-68161

CWE-297CWE-295Improper Certificate Validation13 documents11 sources
Severity
6.3MEDIUM
EPSS
0.0%
top 90.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache Log4j CoreApache Log4j
Timeline
PublishedDec 18
Latest updateApr 10

Description

The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle att

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N

Affected Packages4 packages

Mavenorg.apache.logging.log4j:log4j-core2.0-beta92.25.3
CVEListV5apache_software_foundation/apache_log4j_core2.12.02.25.4+2
Debianapache-log4j2< 2.17.1-1~deb11u2
NVDapache/log4j2.0.12.25.3+1

Patches

Patch: github.com

🔴Vulnerability Details

5
GHSA
Apache Log4j Core: `verifyHostName` attribute silently ignored in TLS configuration2026-04-10
OSV
Apache Log4j does not verify the TLS hostname in its Socket Appender2025-12-18
OSV
CVE-2025-68161: The Socket Appender in Apache Log4j Core versions 22025-12-18
GHSA
Apache Log4j does not verify the TLS hostname in its Socket Appender2025-12-18
CVEList
Apache Log4j Core: Missing TLS hostname verification in Socket appender2025-12-18

📋Vendor Advisories

5
Oracle
Oracle Oracle GoldenGate Risk Matrix: Third Party (Apache Log4j) — CVE-2025-681612026-01-15
Red Hat
Apache Log4j: Apache Log4j Core: Information disclosure via missing TLS hostname verification2025-12-18
Microsoft
Apache Log4j Core: Missing TLS hostname verification in Socket appender2025-12-09
Debian
CVE-2025-68161: apache-log4j2 - The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does ...2025
Apache
Apache logging: CVE-2025-68161

🕵️Threat Intelligence

1
Wiz
CVE-2025-68161 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-34477 org.apache.logging.log4j/log4j-core: Apache Log4j Core: Man-in-the-middle attack due to incomplete hostname verification2026-04-10
CVE-2025-68161 (MEDIUM CVSS 6.3) | The Socket Appender in Apache Log4j | cvebase.io