Skip to content

[Snyk] Security upgrade org.apache.logging.log4j:log4j-core from 2.15.0 to 2.25.4#53

Open
EmanFAs wants to merge 2 commits intomainfrom
snyk-fix-b5b8dabbbff4ea7195a6d585fb948e27
Open

[Snyk] Security upgrade org.apache.logging.log4j:log4j-core from 2.15.0 to 2.25.4#53
EmanFAs wants to merge 2 commits intomainfrom
snyk-fix-b5b8dabbbff4ea7195a6d585fb948e27

Conversation

@EmanFAs
Copy link
Copy Markdown
Owner

@EmanFAs EmanFAs commented Apr 11, 2026

snyk-top-banner

Snyk has created this PR to fix 3 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

  • log4shell-goof/log4shell-server/pom.xml

Vulnerabilities that will be fixed with an upgrade:

Issue Score Upgrade
medium severity Improper Validation of Certificate with Host Mismatch
SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967727		   113   org.apache.logging.log4j:log4j-core:
2.15.0 -> 2.25.4
No Known Exploit
medium severity Improper Encoding or Escaping of Output
SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967769		   67   org.apache.logging.log4j:log4j-core:
2.15.0 -> 2.25.4
No Known Exploit
medium severity Improper Encoding or Escaping of Output
SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967804		   67   org.apache.logging.log4j:log4j-core:
2.15.0 -> 2.25.4
No Known Exploit

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Improper Encoding or Escaping of Output

@EmanFAs
Copy link
Copy Markdown
Owner Author

EmanFAs commented Apr 11, 2026

Merge Risk: High

Upgrading log4j-core from version 2.15.0 to 2.25.4 introduces significant changes, including critical security fixes and several potential breaking changes that require developer attention.

Key Breaking Changes:

  • High-Precision Timestamps: A major breaking change was introduced in version 2.24.0. The XML, JSON, and YAML structured log formats no longer include the timeMillis attribute. It has been replaced with an Instant object containing epochSecond and nanoOfSecond attributes. [8] Applications that parse these log formats will need to be updated.
  • Removed Modules: Starting from version 2.24.0, several modules are no longer part of the main release and must be managed as separate dependencies. This includes log4j-flume-ng, log4j-kubernetes, and log4j-mongodb3. [8]
  • Security Hardening: In response to vulnerabilities like Log4Shell, versions subsequent to 2.15.0 introduced stricter security defaults. JNDI lookups are disabled by default, and enabling scripting languages now requires explicit configuration via a system property. [2, 3]
  • SLF4J Binding Compatibility: Due to a compatibility break, Log4j now provides two separate SLF4J adapters. Developers must ensure they use the correct adapter (log4j-slf4j-impl for SLF4J 1.7.x or log4j-slf4j2-impl for SLF4J 2.x). [4, 6]

Recommendation:

Given that the starting version 2.15.0 is known to have critical vulnerabilities, this upgrade is necessary. [11] However, due to the high-impact breaking changes, thorough testing is required. Developers should:

  1. Verify if the application parses structured log formats (JSON, XML, YAML) and update the parsing logic for the new timestamp format.
  2. Check if the project uses any of the removed modules (log4j-kubernetes, etc.) and add them as explicit dependencies if needed.
  3. Confirm that logging configurations do not rely on the old, insecure defaults for JNDI or scripting.

Source: Apache Log4j Release Notes [8]

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@snyk-io
Copy link
Copy Markdown

snyk-io Bot commented Apr 11, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@EmanFAs @snyk-bot