Skip to content

JsonWriter: Write non-finite floating-point values as strings#4080

Merged
ppkarwasz merged 3 commits into2.25.xfrom
fix/2.25.x/jtl-nan
Mar 24, 2026
Merged

JsonWriter: Write non-finite floating-point values as strings#4080
ppkarwasz merged 3 commits into2.25.xfrom
fix/2.25.x/jtl-nan

Conversation

@ppkarwasz
Copy link
Copy Markdown
Member

@ppkarwasz ppkarwasz commented Mar 24, 2026

This change updates JsonWriter to serialize non-finite float and double values (NaN, Infinity, and -Infinity) as JSON strings.

This behavior aligns with Jackson's JsonWriteFeature#WRITE_NAN_AS_STRINGS.

Previously, these values were written without quotes, which produces invalid JSON according to the JSON specification.

@ppkarwasz
JsonWriter: Write non-finite floating-point values as strings
0896404 
This change updates `JsonWriter` to serialize non-finite `float` and `double` values (`NaN`, `Infinity`, and `-Infinity`) as JSON strings.

This behavior aligns with Jackson's `JsonWriteFeature#WRITE_NAN_AS_STRINGS`.

Previously, these values were written without quotes, which produces **invalid JSON** according to the JSON specification.
@vy vy added layouts Affects one or more Layout plugins bug Incorrect, unexpected, or unintended behavior of existing code labels Mar 24, 2026
@vy vy added this to the 2.25.4 milestone Mar 24, 2026
@ppkarwasz ppkarwasz requested a review from Copilot March 24, 2026 21:05
Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates JsonWriter so that non-finite floating-point values (NaN, Infinity, -Infinity) are serialized as JSON strings, producing valid JSON output and aligning behavior with Jackson’s JsonWriteFeature#WRITE_NAN_AS_STRINGS.

Changes:

  • Serialize non-finite float/double values as quoted strings in JsonWriter.
  • Add parameterized tests covering non-finite float/double serialization.
  • Add a changelog entry documenting the fix.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
src/changelog/.2.x.x/4080_jtl-nan.xml Adds changelog entry for the non-finite float/double JSON serialization fix.
log4j-layout-template-json/.../JsonWriter.java Writes non-finite float/double values via writeString(...) instead of emitting invalid JSON numbers.
log4j-layout-template-json-test/.../JsonWriterTest.java Adds parameterized tests asserting non-finite values are quoted.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread ...mplate-json/src/main/java/org/apache/logging/log4j/layout/template/json/util/JsonWriter.java Outdated
Comment thread ...mplate-json/src/main/java/org/apache/logging/log4j/layout/template/json/util/JsonWriter.java Outdated
@ppkarwasz ppkarwasz merged commit 2c4dd1d into 2.25.x Mar 24, 2026
7 checks passed
@ppkarwasz ppkarwasz deleted the fix/2.25.x/jtl-nan branch March 24, 2026 22:58
@github-project-automation github-project-automation Bot moved this from Approved to Merged in Log4j pull request tracker Mar 24, 2026
@marcelstoer
Copy link
Copy Markdown

marcelstoer commented Apr 27, 2026
edited
Loading

Thanks for the fix. Ironically, it would have gained much less recognition if NIST hadn't assigned a 7.5 HIGH CVSS 3.1 score to CVE-2026-34481 (CVSS 4.0 is 6.3 MEDIUM).

@ppkarwasz
Copy link
Copy Markdown
Member Author

ppkarwasz commented Apr 27, 2026
edited
Loading

Hi @marcelstoer,

Sorry about that! 😉

We intentionally published a CVSS 4.0 score, to prevent CISA from providing its own and blowing this out of proportion. Unfortunately NVD “enriches” the records independently by:

  • Assigning it the same CPE as for log4j-core (cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* instead of the one we gave in the CVE record cpe:2.3:a:apache:log4j_layout_template_json:*:*:*:*:*:*:*:*),
  • Dropping the Package URL,
  • Bumping the CVSS by lowering Complexity from High to Low and increasing Integrity from Low to High.

Since NVD is basically not operational, maybe you can convince your organization to source vulnerability records directly from the CVE database or GitHub Advisories? Not that the latter currently imports from NVD, so we had to manually improve the GitHub Advisories entry, which increased the delay between the disclosure and the availability of the data.

@marcelstoer
Copy link
Copy Markdown

marcelstoer commented Apr 27, 2026

No need to be sorry about this. You did what you could and I sure do appreciate that.

maybe you can convince your organization to source vulnerability records directly from the CVE database or GitHub Advisories?

I'm involved with the OWASP Dependency Check project. We use it heavily at my org.

Not that the latter currently imports from NVD, so we had to manually improve the GitHub Advisories entry

I have been through that process a couple of times myself. It's a huge benefit that the GHSA program accepting PRs for their entries.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@vy vy vy approved these changes

Assignees

No one assigned

Labels

bug Incorrect, unexpected, or unintended behavior of existing code layouts Affects one or more Layout plugins

Projects

Log4j pull request tracker
Status: Merged

Milestone

2.25.4

Development

Successfully merging this pull request may close these issues.

4 participants

@ppkarwasz @marcelstoer @vy