The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true.
This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:
Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.
As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.
{
"cwe_ids": [
"CWE-297"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68161.json",
"cna_assigner": "apache"
}{
"extracted_events": [
{
"introduced": "2.0.1"
},
{
"fixed": "2.25.3"
},
{
"introduced": "2.0-NA"
},
{
"last_affected": "2.0-NA"
}
],
"source": [
"CPE_RANGE",
"CPE_STRING"
],
"cpe": [
"cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*"
]
}