CVE-2025-35036

hibernate-validator insecure default Expression Language interpolation

Severity Score

6.9

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

Low

None

Integrity

Low

None

Availability

Low

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2025-04-15 CVE Reserved
2025-06-03 CVE Published
2025-06-05 CVE Updated
2025-06-09 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

References (13)

URL	Tag	Source
https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext
https://github.com/hibernate/hibernate-validator/commit/05f795bb7cf18856004f40e5042709e550ed0d6e
https://github.com/hibernate/hibernate-validator/commit/254858d9dcc4e7cd775d1b0f47f482218077c5e1
https://github.com/hibernate/hibernate-validator/commit/d2db40b9e7d22c7a0b44d7665242dfc7b4d14d78
https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893
https://github.com/hibernate/hibernate-validator/compare/6.1.7.Final...6.2.0.Final
https://github.com/hibernate/hibernate-validator/pull/1138
https://hibernate.atlassian.net/browse/HV-1816
https://hibernate.org/validator/documentation/migration-guide/#6-2-0-cr1
https://in.relation.to/2021/01/06/hibernate-validator-700-62-final-released/#expression-language
https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428
https://www.cve.org/CVERecord?id=CVE-2020-5245
https://www.cve.org/CVERecord?id=CVE-2025-4428

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Hibernate Search vendor "Hibernate"		Hibernate Validator Search vendor "Hibernate" for product "Hibernate Validator"				< 6.2.0 Search vendor "Hibernate" for product "Hibernate Validator" and version " < 6.2.0"		en		Affected
Hibernate Search vendor "Hibernate"		Hibernate Validator Search vendor "Hibernate" for product "Hibernate Validator"				< 7.0.0 Search vendor "Hibernate" for product "Hibernate Validator" and version " < 7.0.0"		en		Affected