VYPR
← All advisories
Medium severityGHSA Advisory· Published Oct 1, 2025· Updated Apr 15, 2026

CVE-2025-11226

CVE-2025-11226

Description

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.

A successful attack requires the presence of Janino library and Spring Framework to be present on the user's class path. In addition, the attacker must  have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ch.qos.logback:logback-coreMaven
>= 1.4.0, < 1.5.191.5.19
ch.qos.logback:logback-coreMaven
< 1.3.161.3.16

Affected products

1

Patches

1
61f6a2544f36

disallow new in if condition attribute in config files

https://github.com/qos-ch/logbackcekiSep 29, 2025via ghsa
commit
3 files changed · +41 4
  • logback-core-blackbox/src/test/blackboxInput/joran/conditional/ifNew.xml+14 0 added
    @@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+
+<x>
+    <stack name="BEGIN"/>
+    <if condition='new Integer(1).equals(1)'>
+        <then>
+            <stack name="a"/>
+        </then>
+        <else>
+            <stack name="b"/>
+        </else>
+    </if>
+    <stack name="END"/>
+</x>
  • logback-core-blackbox/src/test/java/ch/qos/logback/core/blackbox/joran/conditional/IfThenElseTest.java+10 1 modified
    @@ -51,7 +51,6 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
-import java.io.IOException;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Stack;
@@ -129,6 +128,16 @@ public void whenContextPropertyIsSet_IfThenBranchIsEvaluated() throws JoranExcep
         verifyConfig(new String[] { "BEGIN", "a", "END" });
     }
 
+    @Test
+    public void ifWithNew() throws JoranException {
+        context.putProperty(ki1, val1);
+        simpleConfigurator.doConfigure(CONDITIONAL_DIR_PREFIX + "ifNew.xml");
+        checker.containsMatch(Status.ERROR, IfModelHandler.NEW_OPERATOR_DISALLOWED_MSG);
+        checker.containsMatch(Status.ERROR, IfModelHandler.NEW_OPERATOR_DISALLOWED_SEE);
+        verifyConfig(new String[] { "BEGIN", "END" });
+    }
+
+
     @Test
     public void whenLocalPropertyIsSet_IfThenBranchIsEvaluated() throws JoranException {
         simpleConfigurator.doConfigure(CONDITIONAL_DIR_PREFIX + "if_localProperty.xml");
  • logback-core/src/main/java/ch/qos/logback/core/model/processor/conditional/IfModelHandler.java+17 3 modified
    @@ -1,6 +1,6 @@
 /**
  * Logback: the reliable, generic, fast and flexible logging framework.
- * Copyright (C) 1999-2022, QOS.ch. All rights reserved.
+ * Copyright (C) 1999-2025, QOS.ch. All rights reserved.
  *
  * This program and the accompanying materials are dual-licensed under
  * either the terms of the Eclipse Public License v1.0 as published by
@@ -33,6 +33,9 @@ public class IfModelHandler extends ModelHandlerBase {
     public static final String MISSING_JANINO_MSG = "Could not find Janino library on the class path. Skipping conditional processing.";
     public static final String MISSING_JANINO_SEE = "See also " + CoreConstants.CODES_URL + "#ifJanino";
 
+    public static final String NEW_OPERATOR_DISALLOWED_MSG = "The 'condition' attribute may not contain the 'new' operator.";
+    public static final String NEW_OPERATOR_DISALLOWED_SEE = "See also " + CoreConstants.CODES_URL + "#conditionNew";
+
     enum Branch {IF_BRANCH, ELSE_BRANCH; }
     
     IfModel ifModel = null;
@@ -75,6 +78,13 @@ public void handle(ModelInterpretationContext mic, Model model) throws ModelHand
                return;
             }
 
+            // do not allow 'new' operator
+            if(hasNew(conditionStr)) {
+                addError(NEW_OPERATOR_DISALLOWED_MSG);
+                addError(NEW_OPERATOR_DISALLOWED_SEE);
+                return;
+            }
+
             try {
                 PropertyEvalScriptBuilder pesb = new PropertyEvalScriptBuilder(mic);
                 pesb.setContext(context);
@@ -96,8 +106,12 @@ public void handle(ModelInterpretationContext mic, Model model) throws ModelHand
             }
         }
     }
-    
-    
+
+    private boolean hasNew(String conditionStr) {
+        return conditionStr.contains("new ");
+    }
+
+
     @Override
     public void postHandle(ModelInterpretationContext mic, Model model) throws ModelHandlerException {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.