Vulnerabilities

1 via 1 paths

Dependencies

6

Source

GitHub

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity
new

Improper Encoding or Escaping of Output

  • Vulnerable module: org.apache.logging.log4j:log4j-api
  • Introduced through: org.apache.logging.log4j:log4j-api@2.25.4

Detailed paths

  • Introduced through: inqwise/inqwise-context@inqwise/inqwise-context org.apache.logging.log4j:log4j-api@2.25.4
    Remediation: Upgrade to org.apache.logging.log4j:log4j-api@2.25.5.

Overview

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the MapMessage.asJson() method, which emits the bare NaN, Infinity, or -Infinity tokens instead of an RFC 8259-compliant representation. An attacker can emit malformed JSON that corrupts the enclosing log record or disrupts downstream log ingestion and parsing by supplying non-finite floating-point values that the application records in a logged MapMessage. Exploitation requires the application to use the message resolver of JsonTemplateLayout, or another layout relying on MapMessage.asJson(), and to log a MapMessage holding attacker-controlled floating-point values.

Note: This is a bypass of the fix for the vulnerability described in CVE-2026-34481.

Remediation

A fix was pushed into the master branch but not yet published.

References