Skip to content
Verified reproduction

CVE-2026-49844: Log4j MapMessage emits invalid JSON for non-finite values

CVE-2026-49844 is verified against org.apache.logging.log4j:log4j-api · maven affected versions: >=2.13.1,<2.25.5; >=2.26.0,<2.26.1; >=3.0.0-alpha1,<=3.0.0-beta2 fixed version: 2.25.5; 2.26.1 This medium reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00286.

REPRO-2026-00286 org.apache.logging.log4j:log4j-api · maven Variant found Jul 13, 2026 CVE entry .txt
Severity MEDIUM
Confidence HIGH
Reproduced in 11m 14s
Tool calls 170
Spend $1.95
Affected >=2.13.1,<2.25.5; >=2.26.0,<2.26.1; >=3.0.0-alpha1,<=3.0.0-beta2
Fixed in 2.25.5; 2.26.1
$ pruva-verify REPRO-2026-00286
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00286/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

MapMessage.asJson() in Apache Log4j API emits bare NaN, Infinity, or -Infinity tokens when a logged MapMessage contains non-finite IEEE 754 floating-point values. These bare tokens violate RFC 8259 and produce invalid JSON that downstream parsers reject. This is a bypass of the incomplete fix for CVE-2026-34481, which fixed JsonTemplateLayout's JsonWriter but did not cover the MapMessage.asJson() / getFormattedMessage(["JSON"]) code path in log4j-api.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.