CVE-2025-68161

Summary

Apache Log4j does not verify the TLS hostname in its Socket Appender

Severity

medium

EPSS

0.7% (p50)

Also known as

GHSA-vc5p-v9hr-52mj

Published

2025-12-18

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-68161
• https://github.com/apache/logging-log4j2/pull/4002
• https://github.com/apache/logging-log4j2/commit/3b93748497e1adbbd027fda8a5e7268ec5d0d578

Related advisories

• CVE-2021-45046 — critical · Maven/org.apache.logging.log4j:log4j-core
• CVE-2021-44228 — critical · Maven/org.apache.logging.log4j:log4j-core
• CVE-2026-34478 — medium · Maven/org.apache.logging.log4j:log4j-core
• CVE-2026-34480 — medium · Maven/org.apache.logging.log4j:log4j-core
• CVE-2026-34477 — medium · Maven/org.apache.logging.log4j:log4j-core

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Summarize with AI

ChatGPTClaudePerplexity