CVE-2025-35036: EL Injection in Hibernate Validator
Platform
java
Component
org.hibernate.validator:hibernate-validator
Fixed in
6.2.0
7.0.0
6.2.0.CR1
CVE-2025-35036 is a high-severity vulnerability affecting Hibernate Validator versions prior to 6.2.0 and 7.0.0. This flaw allows attackers to inject Expression Language (EL) into constraint violation messages, potentially leading to information disclosure or code execution. The vulnerability impacts users of Hibernate Validator versions less than or equal to 6.1.7.Final, and a fix is available in version 6.2.0.CR1 and later.
Detect this CVE in your project
Upload your pom.xml file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
The core of this vulnerability lies in Hibernate Validator's default behavior of interpolating user-supplied input within custom constraint violation messages using Expression Language (EL). An attacker can craft malicious input that, when processed by Hibernate Validator, results in the execution of arbitrary code or the exposure of sensitive information. This could involve accessing environment variables, system properties, or even executing commands on the underlying server. The potential impact is significant, particularly in applications that rely heavily on Hibernate Validator for data validation and where user input is directly incorporated into error messages. This vulnerability shares similarities with CVE-2020-5245 and other related vulnerabilities involving EL interpolation, highlighting the importance of careful input validation and secure configuration.
Exploitation Context
CVE-2025-35036 was publicly disclosed on June 3, 2025. The vulnerability's severity is rated as HIGH with a CVSS score of 7.3. There are currently no known public exploits or active campaigns targeting this vulnerability, but the presence of Expression Language interpolation makes it a potential target. It is recommended to prioritize patching to prevent future exploitation. The vulnerability is not currently listed on the CISA KEV catalog.
Threat Intelligence
Exploit Status
EPSS
0.58% (69% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- Low — partial or indirect data access. Attacker gains limited information.
- Integrity
- Low — attacker can modify some data with limited scope or impact.
- Availability
- Low — partial or intermittent denial of service. Attacker can degrade performance.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2025-35036 is to upgrade to Hibernate Validator version 6.2.0.CR1 or later. These versions have disabled the default EL interpolation behavior in constraint violation messages. If upgrading is not immediately feasible, consider implementing input validation to sanitize user-supplied data before it is used in constraint violation messages. Furthermore, avoid allowing user-supplied input directly within constraint violation messages. While not a direct fix, configuring Hibernate Validator to not interpolate user input can significantly reduce the attack surface. After upgrading, confirm the fix by attempting to inject EL expressions into validation messages and verifying that they are not processed.
How to fix
Actualice Hibernate Validator a la versión 6.2.0 o superior. Esta versión deshabilita la interpolación de Expression Language en mensajes de violación de restricciones personalizados por defecto. Evite el uso de entradas proporcionadas por el usuario en los mensajes de violación de restricciones.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2025-35036 — EL Injection in Hibernate Validator?
CVE-2025-35036 is a high-severity vulnerability in Hibernate Validator versions ≤6.1.7.Final that allows attackers to inject Expression Language into constraint violation messages, potentially leading to code execution or information disclosure.
Am I affected by CVE-2025-35036 in Hibernate Validator?
You are affected if you are using Hibernate Validator versions less than or equal to 6.1.7.Final and allow user-supplied input in constraint violation messages.
How do I fix CVE-2025-35036 in Hibernate Validator?
Upgrade to Hibernate Validator version 6.2.0.CR1 or later to disable the default EL interpolation behavior. Alternatively, sanitize user input before using it in validation messages.
Is CVE-2025-35036 being actively exploited?
As of June 3, 2025, there are no known public exploits or active campaigns targeting this vulnerability, but it remains a potential risk.
Where can I find the official Hibernate Validator advisory for CVE-2025-35036?
Refer to the Hibernate Validator project website and related security advisories for the latest information and updates regarding CVE-2025-35036.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.