Platform
java
Component
org.hibernate.validator:hibernate-validator
Opgelost in
6.2.0
7.0.0
6.2.0.CR1
CVE-2025-35036 is a high-severity vulnerability affecting Hibernate Validator versions prior to 6.2.0 and 7.0.0. This flaw allows attackers to inject Expression Language (EL) into constraint violation messages, potentially leading to information disclosure or code execution. The vulnerability impacts users of Hibernate Validator versions less than or equal to 6.1.7.Final, and a fix is available in version 6.2.0.CR1 and later.
The core of this vulnerability lies in Hibernate Validator's default behavior of interpolating user-supplied input within custom constraint violation messages using Expression Language (EL). An attacker can craft malicious input that, when processed by Hibernate Validator, results in the execution of arbitrary code or the exposure of sensitive information. This could involve accessing environment variables, system properties, or even executing commands on the underlying server. The potential impact is significant, particularly in applications that rely heavily on Hibernate Validator for data validation and where user input is directly incorporated into error messages. This vulnerability shares similarities with CVE-2020-5245 and other related vulnerabilities involving EL interpolation, highlighting the importance of careful input validation and secure configuration.
CVE-2025-35036 was publicly disclosed on June 3, 2025. The vulnerability's severity is rated as HIGH with a CVSS score of 7.3. There are currently no known public exploits or active campaigns targeting this vulnerability, but the presence of Expression Language interpolation makes it a potential target. It is recommended to prioritize patching to prevent future exploitation. The vulnerability is not currently listed on the CISA KEV catalog.
Applications utilizing Hibernate Validator for data validation, particularly those that allow user-supplied input to be incorporated into constraint violation messages, are at risk. This includes web applications, REST APIs, and any Java-based system relying on Hibernate Validator for input sanitization. Legacy applications using older versions of Hibernate Validator are particularly vulnerable.
• java / server:
# Check for vulnerable versions of Hibernate Validator in dependencies
find . -name pom.xml -o -name build.gradle | xargs grep 'org.hibernate.validator:hibernate-validator:"[<=6.1.7.Final]"'• java / application:
// Inspect the Hibernate Validator version at runtime
String validatorVersion = ValidatorFactory.class.getPackage().getImplementationVersion();
System.out.println("Hibernate Validator Version: " + validatorVersion);disclosure
Exploit Status
EPSS
0.58% (69% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-35036 is to upgrade to Hibernate Validator version 6.2.0.CR1 or later. These versions have disabled the default EL interpolation behavior in constraint violation messages. If upgrading is not immediately feasible, consider implementing input validation to sanitize user-supplied data before it is used in constraint violation messages. Furthermore, avoid allowing user-supplied input directly within constraint violation messages. While not a direct fix, configuring Hibernate Validator to not interpolate user input can significantly reduce the attack surface. After upgrading, confirm the fix by attempting to inject EL expressions into validation messages and verifying that they are not processed.
Actualice Hibernate Validator a la versión 6.2.0 o superior. Esta versión deshabilita la interpolación de Expression Language en mensajes de violación de restricciones personalizados por defecto. Evite el uso de entradas proporcionadas por el usuario en los mensajes de violación de restricciones.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-35036 is a high-severity vulnerability in Hibernate Validator versions ≤6.1.7.Final that allows attackers to inject Expression Language into constraint violation messages, potentially leading to code execution or information disclosure.
You are affected if you are using Hibernate Validator versions less than or equal to 6.1.7.Final and allow user-supplied input in constraint violation messages.
Upgrade to Hibernate Validator version 6.2.0.CR1 or later to disable the default EL interpolation behavior. Alternatively, sanitize user input before using it in validation messages.
As of June 3, 2025, there are no known public exploits or active campaigns targeting this vulnerability, but it remains a potential risk.
Refer to the Hibernate Validator project website and related security advisories for the latest information and updates regarding CVE-2025-35036.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.