CVE-2025-11226
📋 TL;DR
This CVE describes an arbitrary code execution vulnerability in QOS.CH logback-core versions up to 1.5.18. Attackers can exploit conditional configuration file processing to execute malicious code by compromising logback configuration files or injecting malicious environment variables. Java applications using logback-core with Janino library and Spring Framework present are affected.
💻 Affected Systems
- QOS.CH logback-core
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the Java application process, potentially leading to data theft, ransomware deployment, or complete system takeover.
Likely Case
Local privilege escalation or lateral movement within compromised environments where attackers already have some access to configuration files or environment variables.
If Mitigated
Limited impact with proper file permissions and environment variable controls preventing unauthorized modifications.
🎯 Exploit Status
Exploitation requires existing access to modify configuration files or environment variables; not remotely exploitable without prior compromise
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.19
Vendor Advisory: https://logback.qos.ch/news.html#1.5.19
Restart Required: Yes
Instructions:
1. Update logback-core dependency to version 1.5.19 or later in your project's build configuration (Maven pom.xml, Gradle build.gradle, etc.). 2. Rebuild and redeploy your Java application. 3. Restart the application server or service.
🔧 Temporary Workarounds
Remove Janino dependency
allRemove Janino library from classpath to disable conditional expression evaluation in logback configuration
Remove Janino dependency from Maven/Gradle configuration
Restrict configuration file permissions
linuxSet strict file permissions on logback configuration files to prevent unauthorized modifications
chmod 600 logback.xml
chown root:root logback.xml
🧯 If You Can't Patch
- Implement strict access controls on configuration files to prevent unauthorized modifications
- Monitor and restrict environment variable modifications in your deployment environment
🔍 How to Verify
Check if Vulnerable:
Check your project's dependency management file (pom.xml, build.gradle) for logback-core version <= 1.5.18 and verify Janino library is presentCheck Version:
Check Maven: mvn dependency:tree | grep logback-core; Check Gradle: gradle dependencies | grep logback-coreVerify Fix Applied:
Verify logback-core version is 1.5.19 or later in your dependency management file and rebuilt application📡 Detection & Monitoring
Log Indicators:
- Unexpected logback configuration reloads
- Errors related to Janino expression evaluation
- Suspicious environment variables pointing to external configuration files
Network Indicators:
- Outbound connections from Java process to unexpected destinations following configuration changes
SIEM Query:
Process execution with suspicious arguments following logback configuration file modification OR Environment variable modification containing 'logback' or configuration file paths