GHSA-p6xc-xr62-6r2g
GitHub Security Advisory
Apache Log4j2 vulnerable to Improper Input Validation and Uncontrolled Recursion
✓ GitHub Reviewed
HIGH
Has CVE
Advisory Details
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.
# Affected packages
Only the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.
Affected Packages
Maven
org.apache.logging.log4j:log4j-core
Affected versions:
2.4.0
(fixed in 2.12.3)
Maven
org.apache.logging.log4j:log4j-core
Affected versions:
2.13.0
(fixed in 2.17.0)
Maven
org.apache.logging.log4j:log4j-core
Affected versions:
0
(fixed in 2.3.1)
Maven
org.ops4j.pax.logging:pax-logging-log4j2
Affected versions:
1.8.0
(fixed in 1.9.2)
Maven
org.ops4j.pax.logging:pax-logging-log4j2
Affected versions:
1.10.0
(fixed in 1.10.9)
Maven
org.ops4j.pax.logging:pax-logging-log4j2
Affected versions:
1.11.0
(fixed in 1.11.12)
Maven
org.ops4j.pax.logging:pax-logging-log4j2
Affected versions:
2.0.0
(fixed in 2.0.13)
Related CVEs
Key Information
7.5
/10
Dataset
Last updated: September 21, 2025 6:29 AM
Data from GitHub Advisory Database. This information is provided for research and educational purposes.