CVE-2025-54812: 
NixOS vulnerability analysis and mitigation

CVE-2025-54812 is an Improper Output Neutralization for Logs vulnerability discovered in Apache Log4cxx. The vulnerability was disclosed on August 22, 2025, affecting all versions of Apache Log4cxx before 1.5.0. The issue occurs when using HTMLLayout, where logger names are not properly escaped when writing out to the HTML file (Apache Advisory).

The vulnerability stems from improper HTML escaping in HTMLLayout when handling logger names. When writing to HTML files, the logger names are not properly sanitized, which could allow HTML or JavaScript injection if untrusted data is used in logger names. The vulnerability has been assigned a CVSS 4.0 score of 2.1 LOW with the vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N (NVD).

The impact of this vulnerability is considered LOW because logger names are generally constant strings. However, if exploited, an attacker could potentially inject HTML or JavaScript code that could hide information from logs or steal data from users who view the generated HTML log file in their browser (Apache Advisory).

Users are recommended to upgrade to Apache Log4cxx version 1.5.0, which contains the fix for this vulnerability. The issue was addressed through two pull requests that implement proper escaping of special characters in HTML attributes (Apache Advisory).

The vulnerability was discovered and remediated with support from the Sovereign Tech Agency through the Apache Log4j Bug Bounty Program on YesWeHack, demonstrating the effectiveness of coordinated vulnerability research programs (Apache Advisory).