Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Green
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Green
Lifecycle Timeline
2Blast Radius
ecosystem impact- 193 maven packages depend on ch.qos.logback:logback-core (11 direct, 182 indirect)
Ecosystem-wide dependent count for version 1.5.33.
DescriptionCVE.org
Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection albeit heavily restricted.
More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate objects from classes in the java.lang and java.util packages that are not explicitly blocked.
Although deserialization is heavily restricted by HardenedObjectInputStream and no practical way to achieve remote code execution or significant privilege escalation has been identified, this issue constitutes a bypass of the intended security restrictions.
This issue affects logback: through 1.5.32 inclusive.
AnalysisAI
Security restriction bypass in logback-core's HardenedObjectInputStream allows limited object injection via logback's SimpleSocketServer and SimpleSSLSocketServer components, affecting all versions through 1.5.32 inclusive. An attacker who can influence serialized data submitted to these socket server endpoints can instantiate objects from java.lang and java.util classes not explicitly blocked by the hardened deserializer, circumventing its intended allowlist controls. The vendor and NVD both confirm no practical remote code execution or significant privilege escalation has been identified; the real-world impact is limited confidentiality and integrity exposure. No public exploit identified at time of analysis beyond E:P proof-of-concept maturity indicated in the CVSS vector. Not listed in CISA KEV.
Technical ContextAI
Logback is a widely deployed Java logging framework (successor to log4j 1.x) produced by QOS.CH. The affected component is logback-core, specifically its HardenedObjectInputStream class, which was introduced as a security hardening measure to restrict Java deserialization by blocking dangerous classes - a defense against the class of attacks popularized by Apache Commons Collections-style gadget chains. SimpleSocketServer and SimpleSSLSocketServer are logback's built-in remote logging receivers that accept serialized LoggingEvent objects over TCP sockets. The root cause is CWE-502 (Deserialization of Untrusted Data): despite HardenedObjectInputStream's blocklist, classes within java.lang and java.util are not explicitly prohibited, creating a partial bypass of the intended security boundary. The vulnerability does not constitute a full deserialization gadget chain exploit because the java.lang/java.util namespace lacks the utility classes (e.g., InvokerTransformer, ReflectionUtils) needed to achieve code execution under normal circumstances.
RemediationAI
Upgrade logback-core to version 1.5.33, which is the fix release referenced by the vendor at https://logback.qos.ch/news.html#1.5.33. The patched version is inferred from the reference URL anchor fragment but has not been independently verified against a formal advisory document - confirm the release notes at that URL before deploying. As a compensating control for organizations that cannot patch immediately, disable or firewall SimpleSocketServer and SimpleSSLSocketServer if remote socket-based log ingestion is not required, as the attack path is contingent on those components being reachable and receiving attacker-influenced serialized data. Restricting network access to the socket server port (default 4560/tcp) to trusted logging clients only further limits exposure, though the AV:L vector suggests the attacker must already have some local foothold. Given the low CVSS score and absence of practical RCE, this vulnerability does not warrant emergency patching outside of compliance-driven timelines.
Same weakness CWE-502 – Deserialization of Untrusted Data
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32895
GHSA-p47f-322f-whfh