Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:X/V:X/RE:M/U:Green
Local config or env access required (AV:L, PR:H); Janino+Spring classpath dependency makes it AC:H; full code execution yields C:H/I:H but no inherent availability impact.
AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L
Primary rating from Vendor (ncsc).
CVSS VectorVendor: ncsc
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:X/V:X/RE:M/U:Green
Lifecycle Timeline
10Blast Radius
ecosystem impact- 371 maven packages depend on ch.qos.logback:logback-core (44 direct, 327 indirect)
Ecosystem-wide dependent count for version 1.4.0.
DescriptionCVE.org
ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.
A successful attack requires the presence of Janino library and Spring Framework to be present on the user's class path. In addition, the attacker must have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.
AnalysisAI
Arbitrary code execution in QOS.CH logback-core through 1.5.18 allows attackers with write access to a logback configuration file (or the ability to set environment variables) to execute Java code via the conditional configuration feature when the Janino library and Spring Framework are also on the classpath. No public exploit identified at time of analysis and EPSS is low (0.06%), but the issue is tagged as RCE in widely deployed Java logging infrastructure and a vendor patch is available.
Technical ContextAI
Logback-core is the underlying engine of the widely used Logback Java logging framework. The vulnerability sits in the Joran configurator's conditional element (<if condition='...'>), which evaluates Janino-compiled Java expressions; when Spring is also present, expression evaluation can be expanded into a full code-execution sink. The CWE-20 (Improper Input Validation) root cause is that the condition string was passed to Janino without restricting dangerous constructs such as the 'new' operator, allowing instantiation of arbitrary classes. The upstream commit 61f6a25 (issue #974) introduces a hasNew() guard in IfModelHandler that rejects any condition containing 'new '.
RemediationAI
Vendor-released patch: upgrade logback-core to 1.5.19 (or 1.3.16 on the legacy 1.3.x branch) per the QOS.CH release notes at https://logback.qos.ch/news.html#1.5.19 and the GitHub release at https://github.com/qos-ch/logback/releases/tag/v_1.5.19; SUSE users should apply SUSE-SU-2025:03456. As a compensating control until patching, remove Janino (janino.jar) from the classpath where it is not required - this disables <if> conditional configuration evaluation entirely, which is the trade-off; alternatively, audit and tightly restrict filesystem permissions on logback.xml/logback-test.xml so only the application service account can read them and no non-admin user can write them, and prevent untrusted callers from setting the LOGBACK_CONFIG / logback.configurationFile environment variable or JVM property at process start.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-20 – Improper Input Validation
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 1:1.2.3-6 | - |
| bookworm | fixed | 1:1.2.11-3 | - |
| forky, sid, trixie | fixed | 1:1.2.11-6 | - |
| (unstable) | not-affected | - | - |
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| openSUSE Tumbleweed | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-32903
GHSA-25qh-j22f-pwp8