CVE-2021-45105

MEDIUM EXPLOITED RANSOMWARE

Apache Log4j 2.0-alpha1-2.16.0 - Denial of Service via Thread Context Map Self-Referential Lookup

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-45105 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns. EIP tracks 8 public exploits from researchers including cckuailong, iAmSOScArEd, name.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2021-45105, a Log4j2 denial-of-service vulnerability triggered by recursive lookup patterns. The PoC demonstrates the exploit via a Spring Boot application that logs malicious input, causing an infinite loop in Log4j's property interpolation.

Description

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

Exploits (8)

nomisec WORKING POC 13 stars
by cckuailong · poc
https://github.com/cckuailong/Log4j_dos_CVE-2021-45105

This repository contains a functional proof-of-concept for CVE-2021-45105, a Log4j2 denial-of-service vulnerability triggered by recursive lookup patterns. The PoC demonstrates the exploit via a Spring Boot application that logs malicious input, causing an infinite loop in Log4j's property interpolation.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Apache Log4j 2.0-beta9 to 2.16.0
No auth needed
Prerequisites: A vulnerable Log4j2 version (2.0-beta9 to 2.16.0) · Ability to send crafted input to a logging endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by iAmSOScArEd · poc
https://github.com/iAmSOScArEd/log4j2_dos_exploit

This is a functional proof-of-concept exploit for CVE-2021-45105, a denial-of-service (DoS) vulnerability in Apache Log4j2. The script crafts a malicious payload to trigger excessive recursion in Log4j2's lookup patterns, causing high CPU usage and potential service disruption.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Apache Log4j2 (versions 2.0-beta9 through 2.16.0, excluding 2.12.3)
No auth needed
Prerequisites: A target application using a vulnerable version of Log4j2 with user-controlled input logged via Log4j2
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by name · poc
https://github.com/name/log4j-remediation

This repository contains a Go-based tool for discovering and remediating the Log4Shell vulnerability (CVE-2021-45105) by scanning for and removing the 'JndiLookup.class' file from '.ear', '.jar', and '.war' files. It includes functionality to scan the filesystem and automatically patch vulnerable files.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Apache Log4j 2 (versions < 2.17.0)
No auth needed
Prerequisites: Access to the filesystem where vulnerable Log4j archives are stored
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by dileepdkumar · poc
https://github.com/dileepdkumar/https-github.com-pravin-pp-log4j2-CVE-2021-45105-1

This repository contains a Spring Boot application demonstrating CVE-2021-45105, a DoS vulnerability in Log4j2 versions 2.0-beta9 to 2.16.0. The exploit triggers an infinite loop in property interpolation via crafted HTTP headers or POST data.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Apache Log4j2 (2.0-beta9 to 2.16.0)
No auth needed
Prerequisites: A vulnerable Log4j2 version (2.0-beta9 to 2.16.0) · Network access to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by tejas-nagchandi · poc
https://github.com/tejas-nagchandi/CVE-2021-45105

This repository contains a working PoC for CVE-2021-45105, demonstrating a SpEL injection vulnerability in Spring Cloud Function. The exploit leverages malformed SpEL expressions in HTTP headers to trigger remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Spring Cloud Function (versions affected by CVE-2021-45105)
No auth needed
Prerequisites: Access to the vulnerable endpoint · Spring Cloud Function application exposed to untrusted input
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by pravin-pp · poc
https://github.com/pravin-pp/log4j2-CVE-2021-45105

This repository contains a Spring Boot application demonstrating CVE-2021-45105, a DoS vulnerability in Log4j2 due to infinite recursion in lookup patterns. The PoC includes endpoints that trigger the vulnerability via crafted headers or JSON payloads.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Apache Log4j 2.0-beta9 to 2.16.0
No auth needed
Prerequisites: A vulnerable Log4j2 version (2.0-beta9 to 2.16.0) · Ability to send HTTP requests to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/BabooPan/Log4Shell-CVE-2021-44228-Demo

This repository provides a functional proof-of-concept for CVE-2021-44228 (Log4Shell) and CVE-2021-45105, demonstrating RCE via JNDI injection and DoS via recursive lookup. It includes detailed setup instructions, exploitation steps, and validation of the attack.

Classification
Working Poc 95%
Attack Type
Rce | Dos
Complexity
Moderate
Reliability
Reliable
Target: Apache Log4j 2.0-alpha1 through 2.16.0 (excluding 2.12.3)
No auth needed
Prerequisites: Docker · Java 11 · curl · access to vulnerable Log4j application
devstral-2 · analyzed Feb 25, 2026 Full analysis →

References (13)

Core 13
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://logging.apache.org/log4j/2.x/security.html
Third Party Advisory x_refsource_confirm
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
https://www.kb.cert.org/vuls/id/930724
Mailing List, Mitigation, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/12/19/1
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-5024
Third Party Advisory x_refsource_confirm
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20211218-0001/
Third Party Advisory, VDB Entry x_refsource_misc
https://www.zerodayinitiative.com/advisories/ZDI-21-1541/
Third Party Advisory x_refsource_confirm
https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 5.9
EPSS 0.7402
EPSS Percentile 98.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

VulnCheck KEV 2021-12-22
Ransomware Use Confirmed
CWE
CWE-20 CWE-674
Status published
Products (50)
apache/log4j 2.0 - 2.3.1
Apache Software Foundation/Apache Log4j2 log4j-core - 2.17.0
debian/debian_linux 10.0
debian/debian_linux 11.0
netapp/cloud_manager
oracle/agile_engineering_data_management 6.2.1.0
oracle/agile_plm 9.3.6
oracle/agile_plm_mcad_connector 3.6
oracle/autovue_for_agile_product_lifecycle_management 21.0.2
oracle/banking_deposits_and_lines_of_credit_servicing 2.12.0
... and 40 more
Published Dec 18, 2021
Tracked Since Feb 18, 2026