CVE-2025-68161: Apache Log4j Core: Missing TLS hostname verification in Socket appender
Published Dec 18, 2025
·Updated
The fix for CVE-2025-68161
Affected Software
10 affected componentsFixes available
Apache Log4j Core>=2.0-beta9<2.25.2
maven/org.apache.logging.log4j:log4j-core>=2.0-beta9<2.25.3
2.25.3
Microsoft azl3 javapackages-bootstrap 1.14.0-3
Apache Log4j>=2.0.1<2.25.3
Apache Log4j=2.0
Apache Log4j=2.0-beta9
Apache Log4j=2.0-rc1
Apache Log4j=2.0-rc1-rc1
Apache Log4j=2.0-rc2
IBM watsonx.data<=2.2- 2.3.1
Remediation
Patch Available
Event History
Dec 18, 2025
CVE Published
via MITRE·08:47 PM
Data Sourced
via MITRE·08:47 PM
DescriptionWeakness
Data Sourced
via NVD·09:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·09:15 PM
RemedyAffected Software
Advisory Published
via GitHub·09:31 PM
Data Sourced
via GitHub·09:31 PM
DescriptionWeaknessAffected Software
Dec 21, 2025
Data Sourced
via Microsoft·01:02 AM
DescriptionSeverityWeaknessAffected Software
May 9, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2025-68161?
CVE-2025-68161 is classified as a high-severity vulnerability due to the lack of TLS hostname verification in Apache Log4j Core.
2
What versions of Apache Log4j Core are affected by CVE-2025-68161?
CVE-2025-68161 affects Apache Log4j Core versions from 2.0-beta9 to 2.25.2.
3
How do I fix CVE-2025-68161?
To resolve CVE-2025-68161, upgrade Apache Log4j Core to a version higher than 2.25.2 where TLS hostname verification is implemented.
4
What impact does CVE-2025-68161 have on my application?
CVE-2025-68161 can potentially allow attackers to perform man-in-the-middle attacks due to the failure to verify the authenticity of the peer certificate.
5
Is CVE-2025-68161 relevant for all applications using Log4j?
CVE-2025-68161 is specifically relevant for applications using the Socket Appender feature in affected versions of Apache Log4j Core.