A concerning number of Log4j downloads are still vulnerable four years on

Despite safe Log4j versions having been available for years, many organizations haven't introduced them

Log4j open source Java library logo pictured on a smartphone with source code in green coloring pictured on screen in background.
(Image credit: Getty Images)
Emma Woollacott's avatar
By
published
in News

Four years on from Log4Shell, more than one-in-ten Log4j downloads still contain the vulnerability, according to data from Sonatype.

Over the last year, 14% of Log4j downloads in the UK were vulnerable, the company found, with the global figure standing at around 13% despite the availability of safe versions.

Notably, Sonatype found the problem isn't specific to Log4j, with around 95% of vulnerable open source components downloaded already having a fixed version available.

"The Log4j vulnerability doesn’t even crack the top few anymore. Sonatype Security Research examined some of the most frequently downloaded avoidable vulnerabilities — collectively they have collectively been downloaded more than 2.94 billion times this year or since their patches were released (whichever is more recent)," said the firm.

"Every one of those downloads represents unnecessary risk: teams pulling vulnerable versions when fixed ones already exist, and have for years."

How the Log4Shell incident unfolded

Log4Shell, a critical zero-day flaw in a widely-used Java library, appeared in December 2021, and was immediately and widely exploited. Nearly one million attack attempts were launched in the first 72 hours of the vulnerability's disclosure.

It was described at the time by Check Point Security as "clearly one of the most serious vulnerabilities on the internet in recent years, and the potential for damage is incalculable".

The incident caused upheaval throughout the security industry, kicking off a new era of software supply chain scrutiny and prompting software bill of materials mandates in US executive order 14028 and tighter oversight in Europe through the NIS2 Directive and the Cyber Resilience Act (CRA).

However, Sonatype said that in 2025 alone, there were nearly 300 million total Log4j downloads, of which 40 million were vulnerable.

In China, the US, India, Japan, Brazil, Germany, the UK, Canada, South Korea, and France, between 8% and 29% of Log4j downloads still contained Log4Shell. India did particularly badly, with 29%, while the figure was 28% for China and 22% for Japan.

Log4j complacency persists

According to Sonatype, the reason behind continued vulnerable Log4j downloads lies in a combination of complacency and the simple fact the incident occurred several years ago.

Moreover, visibility and oversight - or lack thereof - are also key factors in the trend.

"Once a library is wired in and everything compiles, it tends to stay that way. Versions get pinned, build files get copied from one service to the next, and no one revisits those choices unless something forces the issue — a breach, a compliance audit, or a production outage," said the firm.

"Without someone explicitly owning ongoing dependency maintenance, those 'temporary' choices turn into long-lived tech debt. Vulnerable versions of Log4j and other libraries stick around not because anyone chose them recently, but because no one chose to replace them."

Meanwhile, many vulnerable components — including Log4j in some stacks — are pulled in transitively by other libraries and frameworks, creating an ownership vacuum.

Component choices are typically optimized for speed and familiarity, rather than time-to-fix history, security posture, or the quality of governance and maintenance.

Security tooling doesn’t always help, either, thanks particularly to alert fatigue.

"If you’re not sure where you stand today, start by getting the numbers. Run a scan of your applications to find Log4j and other frequently downloaded vulnerable components, calculate what share of their usage is to vulnerable versions, and benchmark your own 'unnecessary risk rate'," said the firm.

"That’s the first step toward making sure Log4Shell is remembered as a turning point, not just an anniversary."

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott
Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.

Latest