CVE-2025-11226 Overview
CVE-2025-11226 is an arbitrary code execution (ACE) vulnerability in QOS.CH logback-core versions up to and including 1.5.18. The flaw resides in conditional configuration file processing within Java applications that use logback. An attacker with existing privileges can execute arbitrary code by tampering with a logback configuration file or by injecting a malicious environment variable that points to an attacker-controlled configuration file. Exploitation requires the Janino library and the Spring Framework to be on the application's class path. The vulnerability is tracked under [CWE-20] Improper Input Validation.
Critical Impact
An authenticated local attacker with write access to a logback configuration file or the ability to set environment variables can execute arbitrary Java code in the context of the target application.
Affected Products
- QOS.CH logback-core versions up to and including 1.5.18
- Java applications loading logback when the Janino library is on the class path
- Java applications loading logback when the Spring Framework is on the class path
Discovery Timeline
- 2025-10-01 - CVE-2025-11226 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-11226
Vulnerability Analysis
Logback supports conditional processing inside its XML configuration files. The conditional evaluation logic in logback-core invokes the Janino expression compiler, which can compile and execute Java expressions at runtime. When the Spring Framework is also present on the class path, the expression context exposes APIs that can be chained to load and execute arbitrary Java code. An attacker who controls the contents of a logback configuration file controls the expressions Janino evaluates, which results in arbitrary code execution inside the JVM process that loads the configuration.
Because the issue lives in conditional configuration handling, exploitation does not require a network-facing input. The configuration file itself becomes the malicious payload. The vulnerability is classified as Improper Input Validation [CWE-20] because logback does not constrain or sanitize the expressions executed during configuration parsing.
Root Cause
The root cause is unrestricted evaluation of expressions inside <if> conditional blocks during logback configuration parsing. Logback delegates expression compilation to Janino without isolating it from sensitive class paths. When Spring Framework classes are reachable, those expressions can instantiate and invoke arbitrary code paths. Logback treats configuration files as trusted input, but applications regularly read configuration paths from environment variables such as logback.configurationFile, which an attacker with shell access can override.
Attack Vector
There are two viable attack paths. First, an attacker with write access to an existing logback configuration file can inject a malicious <if> block containing Java expressions. Second, an attacker who can set environment variables for the target process before it starts can point logback to a configuration file under their control. Both require existing privilege on the host, which is why the attack vector is local. Once the application starts and parses the configuration, Janino compiles the embedded expression and the JVM executes the attacker's code with the privileges of the application.
No verified public exploit code is available. The vulnerability mechanism is described in the Logback Release Notes 1.5.19 and the Logback Release Notes 1.3.16.
Detection Methods for CVE-2025-11226
Indicators of Compromise
- Unexpected modifications to logback.xml, logback-test.xml, or logback-spring.xml files in application directories.
- Logback configuration files containing <if> conditional blocks that reference Spring classes or invoke reflection APIs.
- Process environment variables such as logback.configurationFile pointing to paths outside the application's standard configuration directory.
- Java application processes spawning unexpected child processes (bash, sh, cmd.exe, powershell.exe) shortly after startup.
Detection Strategies
- Inventory Java applications and identify those bundling vulnerable logback-core versions at or below 1.5.18 alongside Janino and Spring.
- Apply file integrity monitoring to all logback configuration files and alert on unauthorized writes.
- Hunt for Janino runtime classes (org.codehaus.janino.*) being loaded by processes that do not normally use expression compilation.
- Correlate JVM process starts with environment variable changes that override logback configuration paths.
Monitoring Recommendations
- Forward Java application logs and host process telemetry to a central data lake for correlation across configuration changes and child process creation.
- Alert on writes to configuration files by non-administrative users or service accounts that should not modify application configuration.
- Track environment variable assignments in shell history and systemd unit overrides on production hosts running Java workloads.
How to Mitigate CVE-2025-11226
Immediate Actions Required
- Upgrade logback-core to version 1.5.19 or later on the 1.5.x branch, or 1.3.16 or later on the 1.3.x branch.
- Audit logback configuration files for unauthorized <if> blocks and revert any unexpected changes.
- Restrict filesystem permissions on logback configuration files so only the application owner can modify them.
- Remove Janino from the class path of applications that do not require conditional configuration processing.
Patch Information
QOS.CH addressed the vulnerability in logback-core 1.5.19 and 1.3.16. Update Maven, Gradle, or other dependency manifests to pull the fixed versions. Refer to the Logback Release Notes 1.5.19 and the Logback Release Notes 1.3.16 for upgrade details.
Workarounds
- Remove the Janino dependency from applications that do not need conditional configuration logic, which prevents expression compilation.
- Set strict filesystem ACLs on logback configuration files so only privileged service accounts have write access.
- Disallow environment variable overrides for logback.configurationFile in service launch scripts and container manifests.
- Run Java applications under least-privilege service accounts to limit the impact of code execution within the JVM.
# Configuration example: restrict write access to logback configuration
chown root:appgroup /opt/app/config/logback.xml
chmod 640 /opt/app/config/logback.xml
# Maven dependency override to a patched version
# <dependency>
# <groupId>ch.qos.logback</groupId>
# <artifactId>logback-core</artifactId>
# <version>1.5.19</version>
# </dependency>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
