CVE-2026-49844: Log4j MapMessage emits invalid JSON for non-finite values
CVE-2026-49844 is verified against org.apache.logging.log4j:log4j-api · maven affected versions: >=2.13.1,<2.25.5; >=2.26.0,<2.26.1; >=3.0.0-alpha1,<=3.0.0-beta2 fixed version: 2.25.5; 2.26.1 This medium reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00286.
pruva-verify REPRO-2026-00286 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00286/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh MapMessage.asJson() in Apache Log4j API emits bare NaN, Infinity, or -Infinity tokens when a logged MapMessage contains non-finite IEEE 754 floating-point values. These bare tokens violate RFC 8259 and produce invalid JSON that downstream parsers reject. This is a bypass of the incomplete fix for CVE-2026-34481, which fixed JsonTemplateLayout's JsonWriter but did not cover the MapMessage.asJson() / getFormattedMessage(["JSON"]) code path in log4j-api.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.