0--pom.xml00-mvn/dependencies/log/pom.xml71CD7067FBC59DD5193C658794A60BF000CVE-2026-34481: CVE-2026-34481 CVE-2026-34481: Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout For additional help see: **Your dependency is vulnerable to [CVE-2026-34481](https://osv.dev/CVE-2026-34481)**. ## [GHSA-w35j-pv5h-q9q9](https://osv.dev/GHSA-w35j-pv5h-q9q9) <details> <summary>Details</summary> > Apache Log4j's [`JsonTemplateLayout`](https://logging.apache.org/log4j/2.x/manual/json-template-layout.html), in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (`NaN`, `Infinity`, or `-Infinity`), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. > > An attacker can exploit this issue only if both of the following conditions are met: > > * The application uses `JsonTemplateLayout`. > * The application logs a `MapMessage` containing an attacker-controlled floating-point value. > > Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue. </details> --- ### Affected Packages | Source | Package Name | Package Version | | --- | --- | --- | | lockfile:/var/lib/jenkins/workspace/GovWay/mvn/dependencies/log/pom.xml | org.apache.logging.log4j:log4j-layout-template-json | 2.25.3 | ## Remediation To fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below. ### Fixed Versions | Vulnerability ID | Package Name | Fixed Version | | --- | --- | --- | | GHSA-w35j-pv5h-q9q9 | org.apache.logging.log4j:log4j-layout-template-json | 2.25.4 | If you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an `osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency. See the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/ Add or append these values to the following config files to ignore this vulnerability: `/var/lib/jenkins/workspace/GovWay/mvn/dependencies/log/osv-scanner.toml` ``` [[IgnoredVulns]] id = "CVE-2026-34481" reason = "Your reason for ignoring this vulnerability" ``` Package 'org.apache.logging.log4j:log4j-layout-template-json@2.25.3' is vulnerable to 'CVE-2026-34481' (also known as 'GHSA-w35j-pv5h-q9q9').dependencies.logosvOSV-Scanner-1445NORMALpom.xml(0,0): CVE-2026-34481: : CVE-2026-34481: CVE-2026-34481 CVE-2026-34481: Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout For additional help see: **Your dependency is vulnerable to [CVE-2026-34481](https://osv.dev/CVE-2026-34481)**. ## [GHSA-w35j-pv5h-q9q9](https://osv.dev/GHSA-w35j-pv5h-q9q9) <details> <summary>Details</summary> > Apache Log4j's [`JsonTemplateLayout`](https://logging.apache.org/log4j/2.x/manual/json-template-layout.html), in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (`NaN`, `Infinity`, or `-Infinity`), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. > > An attacker can exploit this issue only if both of the following conditions are met: > > * The application uses `JsonTemplateLayout`. > * The application logs a `MapMessage` containing an attacker-controlled floating-point value. > > Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue. </details> --- ### Affected Packages | Source | Package Name | Package Version | | --- | --- | --- | | lockfile:/var/lib/jenkins/workspace/GovWay/mvn/dependencies/log/pom.xml | org.apache.logging.log4j:log4j-layout-template-json | 2.25.3 | ## Remediation To fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below. ### Fixed Versions | Vulnerability ID | Package Name | Fixed Version | | --- | --- | --- | | GHSA-w35j-pv5h-q9q9 | org.apache.logging.log4j:log4j-layout-template-json | 2.25.4 | If you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an `osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency. See the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/ Add or append these values to the following config files to ignore this vulnerability: `/var/lib/jenkins/workspace/GovWay/mvn/dependencies/log/osv-scanner.toml` ``` [[IgnoredVulns]] id = "CVE-2026-34481" reason = "Your reason for ignoring this vulnerability" ``` Package 'org.apache.logging.log4j:log4j-layout-template-json@2.25.3' is vulnerable to 'CVE-2026-34481' (also known as 'GHSA-w35j-pv5h-q9q9').CVE-2026-3448111 warning (normal: 1)