Securityguy473 opened a new issue, #6653: URL: https://github.com/apache/jmeter/issues/6653
### Expected behavior Hi! I have noticed that the Log4j version being used in Apache Jmeter 5.6.3 is version 2.22.1 This Log4j version is vulnerable to CVE-2025-68161 (Log4j up to version 2.25.2) We are using Microsoft Defender in our organization to monitor threats. I need guidance in how to manage this security issue. Does Jmeter need to release a new version or can we manually change the Log4j version somehow? When can we expect a new version of Jmeter? ### Actual behavior Actual file path: C:\....\apache-jmeter-5.6.3\lib\log4j-core-2.22.1.jar ### Steps to reproduce the problem - ### JMeter Version 5.6.3 ### Java Version Not relevant ### OS Version Windows 11 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
