(kafka) branch 4.2 updated: KAFKA-20038 Upgrade Log4j to 2.25.3 to fix CVE-2025-68161 (#21249)

chia7712 Wed, 07 Jan 2026 00:37:02 -0800

This is an automated email from the ASF dual-hosted git repository.

chia7712 pushed a commit to branch 4.2
in repository https://gitbox.apache.org/repos/asf/kafka.git



The following commit(s) were added to refs/heads/4.2 by this push:
     new 24ef4f0a13b KAFKA-20038 Upgrade Log4j to 2.25.3 to fix CVE-2025-68161 
(#21249)
24ef4f0a13b is described below

commit 24ef4f0a13bf0bf2a7b9d908a6b44aec8cb62956
Author: Ken Huang <[email protected]>
AuthorDate: Wed Jan 7 16:32:18 2026 +0800

    KAFKA-20038 Upgrade Log4j to 2.25.3 to fix CVE-2025-68161 (#21249)
    
    Updated lo4j2 version to 2.25.3 to prevent CVE. FYI:
    https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core
    
    CVE LINK : https://nvd.nist.gov/vuln/detail/CVE-2025-68161
    
    Reviewers: Chia-Ping Tsai <[email protected]>
---
 LICENSE-binary             | 8 ++++----
 gradle/dependencies.gradle | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/LICENSE-binary b/LICENSE-binary
index 43bf1c41e27..2b2fbec080c 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -238,10 +238,10 @@ License Version 2.0:
 - jetty-util-12.0.22
 - jose4j-0.9.6
 - jspecify-1.0.0
-- log4j-api-2.25.1
-- log4j-core-2.25.1
-- log4j-slf4j-impl-2.25.1
-- log4j-1.2-api-2.25.1
+- log4j-api-2.25.3
+- log4j-core-2.25.3
+- log4j-slf4j-impl-2.25.3
+- log4j-1.2-api-2.25.3
 - lz4-java-1.10.1
 - maven-artifact-3.9.6
 - metrics-core-2.2.0
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 29e89f34521..fb0465b66eb 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -105,7 +105,7 @@ versions += [
   kafka_39: "3.9.1",
   kafka_40: "4.0.0",
   kafka_41: "4.1.1",
-  log4j2: "2.25.1",
+  log4j2: "2.25.3",
   // When updating lz4 make sure the compression levels in 
org.apache.kafka.common.record.CompressionType are still valid
   // 
https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/record/CompressionType.java#L73-L74
   // 
https://github.com/yawkat/lz4-java/blob/main/src/java/net/jpountz/lz4/LZ4Constants.java#L23-L24

(kafka) branch 4.2 updated: KAFKA-20038 Upgrade Log4j to 2.25.3 to fix CVE-2025-68161 (#21249)

Reply via email to