@Naozumi Taromaru Thank you for your thoughtful comments.

Your remarks about leaking log data via SocketAppender are quite noteworthy.

I should note that several security experts have argued against creating CVE-2021-42550 in the first place.

While leaking log data can be bad, it is not as bad as an RCE. In my opinion, logback should not be a vector in making an RCE possible even as a stepping stone for the attacker exploiting a prior existing vulnerability (in a different part of the system).