[GHSA-3pxv-7cmr-fjr4] Apache Log4j Core's XmlLayout fails to sanitize characters #7361
+3
−3
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -6,8 +6,8 @@ | |||||
| "aliases": [ | ||||||
| "CVE-2026-34480" | ||||||
| ], | ||||||
| "summary": "Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters", | ||||||
| "details": "Apache Log4j Core's [`XmlLayout`](https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout), in versions up to and including 2.25.3, fails to sanitize characters forbidden by the [XML 1.0 specification](https://www.w3.org/TR/xml/#charsets) producing invalid XML output whenever a log message or MDC value contains such characters.\n\nThe impact depends on the StAX implementation in use:\n\n * **JRE built-in StAX**: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.\n * **Alternative StAX implementations** (e.g., [Woodstox](https://github.com/FasterXML/woodstox), a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger.\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.", | ||||||
|
There was a problem hiding this comment. Minor grammar: add punctuation after the XML 1.0 specification link (e.g., ") , producing…" or rephrase) so the opening sentence reads cleanly.
Suggested change
|
||||||
| "severity": [ | ||||||
| { | ||||||
| "type": "CVSS_V4", | ||||||
|
|
@@ -47,7 +47,7 @@ | |||||
| "introduced": "3.0.0-alpha1" | ||||||
| }, | ||||||
| { | ||||||
| "last_affected": "3.0.0-beta3" | ||||||
| } | ||||||
| ] | ||||||
| } | ||||||
|
|
||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The summary says "unescaped XML 1.0 forbidden characters", but XML 1.0 forbidden characters generally can’t be made valid via escaping—Log4j needs to sanitize/remove/replace them. Consider rewording to "unsanitized"/"unsanitized forbidden characters" to avoid implying escaping is a viable fix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the original summary we submitted, but the suggestion makes sense.