CVE-2025-68161
Severity CVSS v4.0:
MEDIUM
Type:
CWE-297
Improper Validation of Certificate with Host Mismatch
Publication date:
18/12/2025
Last modified:
19/12/2025
Description
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true.<br />
<br />
This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:<br />
<br />
* The attacker is able to intercept or redirect network traffic between the client and the log receiver.<br />
* The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured).<br />
<br />
<br />
Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.<br />
<br />
As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.
Impact
Base Score 4.0
6.30
Severity 4.0
MEDIUM
References to Advisories, Solutions, and Tools
- https://github.com/apache/logging-log4j2/pull/4002
- https://lists.apache.org/thread/xr33kyxq3sl67lwb61ggvm1fzc8k7dvx
- https://logging.apache.org/cyclonedx/vdr.xml
- https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName
- https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName
- https://logging.apache.org/security.html#CVE-2025-68161
- http://www.openwall.com/lists/oss-security/2025/12/18/1