Apache Log4j JSON Template Layout Invalid Floating-Point Value Handling Vulnerability

A vulnerability exists in Apache Log4j's JsonTemplateLayout, in versions up to and including 2.25.3. The layout generates invalid JSON when log events include non-finite floating-point values (NaN, Infinity, or -Infinity), which RFC 8259 disallows. This flaw can lead to downstream log processing systems rejecting or failing to index the affected records. The issue can be exploited if the application uses JsonTemplateLayout and logs a MapMessage with an attacker-controlled floating-point value.

Impact

This vulnerability causes silent log event loss, as downstream systems may drop or fail to index the affected records.

Reproduction

To reproduce this vulnerability, configure the application to use Apache Log4j's JsonTemplateLayout. Then, log a MapMessage that includes a floating-point value controlled by the attacker, such as NaN or Infinity. This can be done by manipulating the Thread Context Map (MDC) input data with a recursive lookup that includes a non-finite floating-point value.

Remediation

Upgrade to Apache Log4j JSON Template Layout version 2.25.4, which addresses this vulnerability.