At the moment, the slf4j-log4j12 binding for log4j 1.2 is being used for logging, which pulls in log4j 1.2.17 as a dependency.

Log4j 1.2 has been end-of-life since 2015, and suffers from several major vulnerabilities (for example https://www.cvedetails.com/cve/CVE-2022-23305/ and https://www.cvedetails.com/cve/CVE-2021-4104/).

Many software organizations have security policies which prohibit using libraries which depend on software with such high-visibility security issues (even in test), and as such are unable to use your library, even though they'd really like to.

Replacing the slf4j-log4j12 library with a binding for log4j 2.x (for example https://logging.apache.org/log4j/2.x/log4j-slf4j-impl/), or replacing use of log4j with another logging framework such as logback or JCL would be a good step for the security of this library.

Hi @robertjgtoth , thank you for your message.
Kafka itself is the main reason this library is relying on log4j. Apache is aware of the vulnerability (see this issue) and they stated that

We plan to move to log4j2 in the next major release 4.0.0.

That been said, this library pulls log4j only in the test scope, so is not enforcing the dependency onto its clients.
Hope this helps, cheers

Apache Kafka is using reload4j which doesn't have the the vulnerabilities mentioned.