https://owasp.org/www-community/vulnerabilities/CRLF_Injection#:~:text=Description,ASCII%2010%2C%20%5Cn%20).&text=A%20CRLF%20Injection%20attack%20occurs,an%20HTTP%20parameter%20or%20URL.
fix is easy, encode the message and the throwable message
LogManager.getLogger(Application.class).info( "test\r\n" );
will output like this
test\r\n
Comment From: wilkinsona
Thanks for the suggestion. I don't think it's appropriate to encode CR or LF characters by default as it has a significant impact on the format of the log files. This change in format may break monitoring tools and also hurts readability. For example, Spring Boot condition evaluation report becomes much harder to read without any line breaks. Log4j2's own default console pattern is %d{HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg%n so they too do not perform CRLF encoding of the message by default.
In the future, if you believe you have found a possible security vulnerability, please follow the guidelines in the issue template where it says the following:
STOP!! Please don't raise security vulnerabilities here. Head over to https://pivotal.io/security to learn how to disclose them responsibly.