log4j-core 2.25.3 in released agent JAR is flagged by vulnerability scanners (fixed in 2.25.4)

[Harguer]

Describe the bug

The published Elastic APM Java agent JAR includes log4j-core version 2.25.3, which is reported by vulnerability scanners as affected by several Medium-severity GitHub Security Advisories. The advisories are marked as fixed in log4j-core version 2.25.4.

Artifact scanned:

• co.elastic.apm:elastic-apm-agent-java8:1.55.5 (downloaded from Maven Central)

Scanner result (Grype):

• log4j-core 2.25.3 → fixed in 2.25.4
  • GHSA-445c-vh5m-36rj (Medium)
  • GHSA-3pxv-7cmr-fjr4 (Medium)
  • GHSA-6hg6-v5c8-fphq (Medium)

Steps to reproduce

1. Fetch latest agent version from Maven Central metadata:

   LATEST_VERSION=$(curl -s https://repo1.maven.org/maven2/co/elastic/apm/elastic-apm-agent-java8/maven-metadata.xml | rg -oP '<latest>\\K[^<]+')
   echo "$LATEST_VERSION"
   # observed: 1.55.5

2. Download the agent jar:

   curl -L -o elastic-apm-agent.jar \
     "https://repo1.maven.org/maven2/co/elastic/apm/elastic-apm-agent-java8/${LATEST_VERSION}/elastic-apm-agent-java8-${LATEST_VERSION}.jar"

3. Scan it:

   grype elastic-apm-agent.jar

Expected behavior

The agent JAR should not include a version of log4j-core with known, fixed vulnerabilities (or maintainers should provide guidance if it is intentionally bundled and if/when it will be updated).

Debug logs

Click to expand

NAME        INSTALLED  FIXED IN  TYPE          VULNERABILITY        SEVERITY
log4j-core  2.25.3     2.25.4    java-archive  GHSA-445c-vh5m-36rj  Medium
log4j-core  2.25.3     2.25.4    java-archive  GHSA-3pxv-7cmr-fjr4  Medium
log4j-core  2.25.3     2.25.4    java-archive  GHSA-6hg6-v5c8-fphq  Medium

Additional context

If there is an intentional reason log4j-core is currently pinned to 2.25.3 (compatibility, shading constraints, etc.), can you confirm whether these advisories apply to the agent's usage context and if/when an update to 2.25.4 or later is planned? Please advise if more details (e.g., grype/OS info) would assist.