CVE-2025-68161

Aliases:GHSA-vc5p-v9hr-52mj

Advisory lineage Upstream: 0 Downstream: 5

Downstream

DEBIAN-CVE-2025-68161 OPENSUSE-SU-2026:10009-1 OPENSUSE-SU-2026:20099-1 SUSE-SU-2026:0254-1 UBUNTU-CVE-2025-68161

Modified

Published: 18 Dec 2025, 20:47

Last modified:10 Apr 2026, 16:18

Vulnerability Summary

Overall Risk (default)

medium

35/100

CVSS Score

6.3 MEDIUM

v4.0 (cve.org)

EPSS Score

0.03% LOW

0% probability -0.07%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

18 Dec 2025, 20:47

Published

Vulnerability first disclosed

10 Apr 2026, 16:18

Last Modified

Vulnerability information updated

Description

The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.

CVSS Metrics

v4.0•MEDIUM•Score: 6.3CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N
v4.0•MEDIUM•Score: 6.3CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
v3.1•MEDIUM•Score: 4.8CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Trends

Current EPSS score: 0.03%• Percentile: 9%

Techniques & Countermeasures

CWE-295•Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.
CWE-297•Improper Validation of Certificate with Host Mismatch
The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.

Affected Systems

apache software foundation•apache log4j core
≥ 2.0-beta9, < 2.25.3 | ≥ 3.0.0-alpha1, ≤ 3.0.0-beta3
apache•log4j
≥ 2.0.1, < 2.25.3 | 2.0 | 2.0:beta9 | 2.0:rc1 | 2.0:rc1-rc1 | 2.0:rc2
org.apache.logging.log4j•log4j-core
≥ 2.0-beta9, < 2.25.3