Logback-core 1.5.18 ACE via Env. Var. Config Arbitrary Code Exec
CVE-2025-11226 Published on October 1, 2025
Conditional processing of logback.xml configuration file, in conjuction with Spring Framework and Janino
ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.
A successful attack requires the presence of Janino library and Spring Framework to be present on the user's class path. In addition, the attacker must have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.
Weakness Type
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Products Associated with CVE-2025-11226
Want to know whenever a new CVE is published for Qoschsarl Logback Core? stack.watch will email you.
Affected Versions
QOS.CH Sarl Logback-core:- Version 0.9.20, <= 1.5.18 is affected.
- Version 1.5.19 is unaffected.
- Version 1.3.16 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.