Maven (Java)

org.apache.logging.log4j:log4j-core

org.apache.logging.log4j:log4j-core has 5 known security vulnerabilities in Maven (Java). Upgrade to version 2.25.3 or later to resolve all known issues. Data sourced from OSV, enriched with EPSS exploit probability and CISA KEV.

5 Vulnerabilities

Recommended safe version: 2.25.3

Upgrading to 2.25.3 or later resolves all 5 known vulnerabilities in org.apache.logging.log4j:log4j-core. Update your pom.xml or build.gradle to version 2.25.3.

Is org.apache.logging.log4j:log4j-core in your project?

Check if you're affected and upgrade to 2.25.3 to stay secure.

Scan Now Create Free Account to Monitor

Total

Critical

High

Medium

Low

Active Exploitation Warning

One or more vulnerabilities in this package are known to be actively exploited in the wild. Immediate action is recommended.

Vulnerabilities

5 unique vulnerabilities — sorted by severity. Click a CVE/GHSA ID for full details.

CVE / GHSA	Severity	CVSS	Summary	Affected	Fixed In
GHSA-7rjr-3q55-vv33 Incomplete fix for Apache Log4j vulnerability	CRITICAL	3.1	Incomplete fix for Apache Log4j vulnerability	2.13.0, 2.13.1, 2.13.2, 2.13.3 (+42 more)	2.16.0, 2.12.2
GHSA-jfh8-c2jp-5v3q Remote code injection in Log4j	CRITICAL	3.1	Remote code injection in Log4j	2.13.0, 2.13.1, 2.13.2, 2.13.3 (+29 more)	2.15.0, 2.3.1, 2.12.2
GHSA-p6xc-xr62-6r2g Apache Log4j2 vulnerable to Improper Input Validation and Uncontrolled Recursion	HIGH	3.1	Apache Log4j2 vulnerable to Improper Input Validation and Uncontrolled Recursion	2.10.0, 2.11.0, 2.11.1, 2.11.2 (+42 more)	2.12.3, 2.17.0, 2.3.1
GHSA-8489-44mv-ggj8 Improper Input Validation and Injection in Apache Log4j2	MODERATE	3.1	Improper Input Validation and Injection in Apache Log4j2	2.0, 2.0-beta7, 2.0-beta8, 2.0-beta9 (+37 more)	2.3.2, 2.12.4, 2.17.1
GHSA-vc5p-v9hr-52mj Apache Log4j does not verify the TLS hostname in its Socket Appender	MODERATE	4.0	Apache Log4j does not verify the TLS hostname in its Socket Appender	2.0, 2.0-beta9, 2.0-rc1, 2.0-rc2 (+55 more)	2.25.3

About This Data

Vulnerability data for org.apache.logging.log4j:log4j-core is sourced from the Open Source Vulnerability (OSV) database, aggregating reports from GitHub Advisory Database, NIST NVD, and ecosystem-specific sources.

CVSS (Common Vulnerability Scoring System) scores reflect exploitability and impact. EPSS (Exploit Prediction Scoring System) scores indicate the probability of exploitation within the next 30 days. Vulnerabilities marked with are listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.

Check Your Dependencies

Scan your project to check if you're using a vulnerable version of org.apache.logging.log4j:log4j-core.

Scan Now - It's Free Create Free Account

Data from OSV DatabaseUpdated daily200K+ vulnerabilities indexed