Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
Description
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 are vulnerable to denial of service via uncontrolled recursion in self-referential lookups.
Vulnerability
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) do not protect against uncontrolled recursion caused by self-referential lookups [1][3]. This vulnerability resides in the lookup evaluation mechanism and is triggered when a crafted string containing recursive lookup patterns is processed. The attack requires the attacker to have control over the Thread Context Map (MDC) data [2][4].
Exploitation
An attacker must be able to inject or control data in the Thread Context Map used by Log4j, for example via user-supplied input that is later logged with a pattern layout that includes context lookups [1][3]. Once the attacker provides a specially crafted string (e.g., a pattern that references itself), Log4j enters an infinite recursion during lookup resolution, causing a denial of service [4]. The attacker does not need authentication if they can control MDC input.
Impact
Successful exploitation results in a denial of service (DoS) condition, typically consuming excessive CPU or memory and potentially crashing the Java application using Log4j [1][3]. The vulnerability does not lead to remote code execution (RCE) or information disclosure beyond what is already accessible via logging [2]. The scope is limited to the affected application process.
Mitigation
All users should upgrade to Log4j 2.17.0 (Java 8), 2.12.3 (Java 7), or 2.3.1 (Java 6) to patch this vulnerability [1][3]. No other workarounds are published; the fix disables the recursive lookup feature [4]. Users with EOL versions should upgrade to supported releases. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.logging.log4j:log4j-coreMaven | >= 2.4.0, < 2.12.3 | 2.12.3 |
org.apache.logging.log4j:log4j-coreMaven | >= 2.13.0, < 2.17.0 | 2.17.0 |
org.apache.logging.log4j:log4j-coreMaven | < 2.3.1 | 2.3.1 |
org.ops4j.pax.logging:pax-logging-log4j2Maven | >= 1.8.0, < 1.9.2 | 1.9.2 |
org.ops4j.pax.logging:pax-logging-log4j2Maven | >= 1.10.0, < 1.10.9 | 1.10.9 |
org.ops4j.pax.logging:pax-logging-log4j2Maven | >= 1.11.0, < 1.11.12 | 1.11.12 |
org.ops4j.pax.logging:pax-logging-log4j2Maven | >= 2.0.0, < 2.0.13 | 2.0.13 |
Affected products
3- ghsa-coords2 versions
>= 2.4.0, < 2.12.3+ 1 more
- (no CPE)range: >= 2.4.0, < 2.12.3
- (no CPE)range: >= 1.8.0, < 1.9.2
- Apache Software Foundation/Apache Log4j2v5Range: log4j-core
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
21- github.com/advisories/GHSA-p6xc-xr62-6r2gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-45105ghsaADVISORY
- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbdmitrevendor-advisoryx_refsource_CISCO
- www.debian.org/security/2021/dsa-5024ghsavendor-advisoryx_refsource_DEBIANWEB
- www.kb.cert.org/vuls/id/930724ghsathird-party-advisoryx_refsource_CERT-VNWEB
- www.openwall.com/lists/oss-security/2021/12/19/1ghsamailing-listx_refsource_MLISTWEB
- cert-portal.siemens.com/productcert/pdf/ssa-479842.pdfghsax_refsource_CONFIRMWEB
- cert-portal.siemens.com/productcert/pdf/ssa-501673.pdfghsax_refsource_CONFIRMWEB
- lists.debian.org/debian-lts-announce/2021/12/msg00017.htmlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCYghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJghsaWEB
- logging.apache.org/log4j/2.x/security.htmlghsax_refsource_MISCWEB
- psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032ghsax_refsource_CONFIRMWEB
- sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbdghsaWEB
- security.netapp.com/advisory/ntap-20211218-0001ghsaWEB
- security.netapp.com/advisory/ntap-20211218-0001/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
- www.zerodayinitiative.com/advisories/ZDI-21-1541ghsaWEB
- www.zerodayinitiative.com/advisories/ZDI-21-1541/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.