CVE-2025-54813 is a vulnerability classified under CWE-117 (Improper Output Neutralization for Logs) affecting Apache Log4cxx versions before 1.5.0. The issue arises specifically when the JSONLayout feature is used for logging. In this context, certain non-printable characters within attacker-controlled log messages are not properly escaped or sanitized before being written into JSON-formatted logs. This improper neutralization means that these characters are passed through verbatim, resulting in malformed or corrupted JSON log entries. Such malformed logs can cause applications or security tools that consume these logs to fail in parsing or interpreting the log data correctly, potentially hiding malicious activities or causing operational disruptions in log analysis pipelines. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score of 6.3 reflects a medium severity, considering the ease of exploitation and the limited impact on confidentiality and availability but notable integrity concerns of log data. The Apache Software Foundation has addressed this issue in Log4cxx version 1.5.0, which properly escapes all payload bytes in JSONLayout logs. No public exploits are currently known, but the vulnerability poses a risk to organizations that rely on Log4cxx for structured logging, especially in environments where logs are critical for security monitoring and incident response.

For European organizations, the improper neutralization of log output can have several impacts. Primarily, it undermines the integrity and reliability of log data, which is essential for security monitoring, forensic investigations, and compliance reporting under regulations such as GDPR and NIS Directive. Malformed JSON logs may cause security information and event management (SIEM) systems or log analytics platforms to miss or misinterpret critical security events, delaying detection of attacks or insider threats. This can increase the risk of undetected breaches or compliance violations. Additionally, operational disruptions may occur if log-consuming applications fail or behave unpredictably due to corrupted log formats. Organizations in sectors with high regulatory scrutiny or critical infrastructure operations are particularly vulnerable to these impacts. While the vulnerability does not directly expose sensitive data or cause denial of service, the degradation of log integrity can indirectly facilitate persistent threats and complicate incident response efforts.

The primary mitigation is to upgrade Apache Log4cxx to version 1.5.0 or later, where the JSONLayout escaping issue is fixed. Organizations should audit their environments to identify all instances of Log4cxx usage, especially those configured with JSONLayout, to ensure comprehensive patching. In parallel, review and enhance log ingestion and parsing pipelines to detect and handle malformed JSON logs gracefully, possibly by implementing validation and sanitization steps before log consumption. Employ monitoring to detect anomalies in log volume or format that may indicate exploitation attempts. Where immediate upgrade is not feasible, consider disabling JSONLayout or restricting log inputs to trusted sources to reduce exposure. Finally, update incident response playbooks to account for potential log integrity issues and ensure forensic readiness despite malformed logs.