Remediation:
Upgrade to org.apache.logging.log4j:log4j-api@2.25.5.
Overview
Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the MapMessage.asJson() method, which emits the bare NaN, Infinity, or -Infinity tokens instead of an RFC 8259-compliant representation. An attacker can emit malformed JSON that corrupts the enclosing log record or disrupts downstream log ingestion and parsing by supplying non-finite floating-point values that the application records in a logged MapMessage. Exploitation requires the application to use the message resolver of JsonTemplateLayout, or another layout relying on MapMessage.asJson(), and to log a MapMessage holding attacker-controlled floating-point values.
Note: This is a bypass of the fix for the vulnerability described in CVE-2026-34481.
Remediation
A fix was pushed into the master branch but not yet published.