log4j-api is vulnerable to Improper Output Encoding
63
Medium Risk
The log4j-api MapMessageJsonFormatter serializes non-finite floating-point values by emitting bare NaN, Infinity, and -Infinity tokens through MapMessage.asJson(). RFC 8259 does not permit these tokens, so a MapMessage carrying an untrusted non-finite float produces JSON that conformant parsers reject. When an application uses JsonTemplateLayout or another layout that relies on MapMessage.asJson(), this can corrupt the enclosing log record and disrupt downstream log ingestion. The fix encodes non-finite values as quoted strings so the emitted document stays valid JSON.
You are affected if you are using a version that falls within the vulnerable range and your application logs a MapMessage with untrusted floating-point values through a layout that relies on MapMessage.asJson().
log4j-api is vulnerable to Improper Output Encoding in versions 2.13.1 - 2.25.4 and 2.26.0 - 2.26.0.
Upgrade the org.apache.logging.log4j:log4j-api library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant