Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-54812

Good to know:

icon

Date: August 22, 2025

Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using HTMLLayout, logger names are not properly escaped when writing out to the HTML file. If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Javascript in order to hide information from logs or steal data from the user. In order to activate this, the following sequence must occur: * Log4cxx is configured to use HTMLLayout. * Logger name comes from an untrusted string * Logger with compromised name logs a message * User opens the generated HTML log file in their browser, leading to potential XSS Because logger names are generally constant strings, we assess the impact to users as LOW This issue affects Apache Log4cxx: before 1.5.0. Users are recommended to upgrade to version 1.5.0, which fixes the issue.

Severity Score

Related Resources (6)

https://github.com/apache/logging-log4cxx/pull/509
https://security-tracker.debian.org/tracker/CVE-2025-54812
https://nvd.nist.gov/vuln/detail/CVE-2025-54812
https://github.com/apache/logging-log4cxx/pull/514
https://logging.apache.org/security.html#CVE-2025-54812
https://www.mend.io/vulnerability-database/CVE-2025-54812

Severity Score

Weakness Type (CWE)

Improper Output Neutralization for Logs

CWE-117

Top Fix

icon

Upgrade Version

Upgrade to version log4cxx - null;https://github.com/apache/logging-log4cxx.git - rel/v1.5.0;https://github.com/apache/logging-log4cxx.git - null

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us