[1.x] Update log4j to >= 2.25.3 due to CVE-2025-68161

## steps

1. Launch sbt (irrespective of any project and sbt version number)
2. sbt pulls log4j 2.17.1 into `~/.sbt/boot/scala-2.12.21/org.scala-sbt/sbt/1.12.5/log4j-core-2.17.1.jar`

## problem

log4j v 2.17.1 is 4 years old and affected by [CVE-2025-68161](https://nvd.nist.gov/vuln/detail/CVE-2025-68161). The presence of the jar triggers vulnerability scanners, and because every the dependency is pulled into local caches on every launch these alerts can't be fixed by users.

The issue [has been fixed in 2.25.3](https://github.com/apache/logging-log4j2/pull/4002).

## expectation

Launching sbt should pull the latest version of log4j.

## notes

There's a [recent commit](https://github.com/sbt/sbt/commit/dc0d055069f34efaa7e08d2cb68ca561a2cbec90) completely removing log4j, but this seems to planned only for the 2.x releases whose release dates are not yet known and not imminent.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[1.x] Update log4j to >= 2.25.3 due to CVE-2025-68161 #8863

steps

problem

expectation

notes

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[1.x] Update log4j to >= 2.25.3 due to CVE-2025-68161 #8863

Description

steps

problem

expectation

notes

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions