Hello, looks like latest version for slf4j-log4j12 (2.0.0-alpha1) has a dependency for log4j-1.2.17.jar and it will have the issue of deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. 

Related documentation: https://nvd.nist.gov/vuln/detail/CVE-2019-17571

Please let me know if you have already this on you radar

Regards .