CVE-2025-54812
Apache Log4cxx: Improper HTML escaping in HTMLLayout
Description
Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using HTMLLayout, logger names are not properly escaped when writing out to the HTML file. If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Javascript in order to hide information from logs or steal data from the user. In order to activate this, the following sequence must occur: * Log4cxx is configured to use HTMLLayout. * Logger name comes from an untrusted string * Logger with compromised name logs a message * User opens the generated HTML log file in their browser, leading to potential XSS Because logger names are generally constant strings, we assess the impact to users as LOW This issue affects Apache Log4cxx: before 1.5.0. Users are recommended to upgrade to version 1.5.0, which fixes the issue.
INFO
Published Date :
Aug. 22, 2025, 7:15 p.m.
Last Modified :
Aug. 26, 2025, 9:16 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | [email protected] | ||||
| CVSS 4.0 | LOW | [email protected] |
Solution
- Upgrade Apache Log4cxx to version 1.5.0.
- Avoid using untrusted logger names with HTMLLayout.
- Sanitize logger names before using them.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-54812.
| URL | Resource |
|---|---|
| https://github.com/apache/logging-log4cxx/pull/509 | Issue Tracking Patch |
| https://github.com/apache/logging-log4cxx/pull/514 | Issue Tracking Patch |
| https://logging.apache.org/security.html#CVE-2025-54812 | Vendor Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-54812 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-54812
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-54812 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2025-54812 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Aug. 26, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Added CPE Configuration OR *cpe:2.3:a:apache:log4cxx:*:*:*:*:*:*:*:* versions up to (excluding) 1.5.0 Added Reference Type Apache Software Foundation: https://github.com/apache/logging-log4cxx/pull/509 Types: Issue Tracking, Patch Added Reference Type Apache Software Foundation: https://github.com/apache/logging-log4cxx/pull/514 Types: Issue Tracking, Patch Added Reference Type Apache Software Foundation: https://logging.apache.org/security.html#CVE-2025-54812 Types: Vendor Advisory -
New CVE Received by [email protected]
Aug. 22, 2025
Action Type Old Value New Value Added Description Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using HTMLLayout, logger names are not properly escaped when writing out to the HTML file. If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Javascript in order to hide information from logs or steal data from the user. In order to activate this, the following sequence must occur: * Log4cxx is configured to use HTMLLayout. * Logger name comes from an untrusted string * Logger with compromised name logs a message * User opens the generated HTML log file in their browser, leading to potential XSS Because logger names are generally constant strings, we assess the impact to users as LOW This issue affects Apache Log4cxx: before 1.5.0. Users are recommended to upgrade to version 1.5.0, which fixes the issue. Added CVSS V4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-117 Added Reference https://github.com/apache/logging-log4cxx/pull/509 Added Reference https://github.com/apache/logging-log4cxx/pull/514 Added Reference https://logging.apache.org/security.html#CVE-2025-54812