Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Hibernate Validator by Hibernate

    CVE-2025-35036 (GCVE-0-2025-35036)

    Vulnerability from nvd – Published: 2025-06-03 19:27 – Updated: 2025-06-05 18:41
    VLAI
    Title
    hibernate-validator insecure default Expression Language interpolation
    Summary
    Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Hibernate Hibernate Validator Affected: 0 , < 6.2.0 (custom)
    Affected: 0 , < 7.0.0 (custom)
    Unaffected: 6.2.0
    Unaffected: 7.0.0
    Create a notification for this product.
    Date Public
    2020-11-25 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-35036",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-05T18:41:11.769413Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-05T18:41:26.981Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Hibernate Validator",
              "vendor": "Hibernate",
              "versions": [
                {
                  "lessThan": "6.2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "7.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.2.0"
                },
                {
                  "status": "unaffected",
                  "version": "7.0.0"
                }
              ]
            }
          ],
          "datePublic": "2020-11-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            },
            {
              "other": {
                "content": {
                  "id": "CVE-2025-35036",
                  "options": [
                    {
                      "Exploitation": "poc"
                    },
                    {
                      "Automatable": "no"
                    },
                    {
                      "Technical Impact": "partial"
                    }
                  ],
                  "role": "CISA Coordinator",
                  "timestamp": "2025-06-03T18:00:12.785957Z",
                  "version": "2.0.3"
                },
                "type": "ssvc"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-03T19:27:42.900Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://hibernate.org/validator/documentation/migration-guide/#6-2-0-cr1"
            },
            {
              "name": "url",
              "url": "https://in.relation.to/2021/01/06/hibernate-validator-700-62-final-released/#expression-language"
            },
            {
              "name": "url",
              "url": "https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext"
            },
            {
              "name": "url",
              "url": "https://hibernate.atlassian.net/browse/HV-1816"
            },
            {
              "name": "url",
              "url": "https://github.com/hibernate/hibernate-validator/compare/6.1.7.Final...6.2.0.Final"
            },
            {
              "name": "url",
              "url": "https://github.com/hibernate/hibernate-validator/commit/05f795bb7cf18856004f40e5042709e550ed0d6e"
            },
            {
              "name": "url",
              "url": "https://github.com/hibernate/hibernate-validator/commit/254858d9dcc4e7cd775d1b0f47f482218077c5e1"
            },
            {
              "name": "url",
              "url": "https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893"
            },
            {
              "name": "url",
              "url": "https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/"
            },
            {
              "name": "url",
              "url": "https://github.com/hibernate/hibernate-validator/commit/d2db40b9e7d22c7a0b44d7665242dfc7b4d14d78"
            },
            {
              "name": "url",
              "url": "https://github.com/hibernate/hibernate-validator/pull/1138"
            },
            {
              "name": "url",
              "url": "https://www.cve.org/CVERecord?id=CVE-2025-4428"
            },
            {
              "name": "url",
              "url": "https://www.cve.org/CVERecord?id=CVE-2020-5245"
            }
          ],
          "title": "hibernate-validator insecure default Expression Language interpolation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2025-35036",
        "datePublished": "2025-06-03T19:27:42.900Z",
        "dateReserved": "2025-04-15T20:56:24.404Z",
        "dateUpdated": "2025-06-05T18:41:26.981Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-35036 (GCVE-0-2025-35036)

    Vulnerability from cvelistv5 – Published: 2025-06-03 19:27 – Updated: 2025-06-05 18:41
    VLAI
    Title
    hibernate-validator insecure default Expression Language interpolation
    Summary
    Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Hibernate Hibernate Validator Affected: 0 , < 6.2.0 (custom)
    Affected: 0 , < 7.0.0 (custom)
    Unaffected: 6.2.0
    Unaffected: 7.0.0
    Create a notification for this product.
    Date Public
    2020-11-25 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-35036",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-05T18:41:11.769413Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-05T18:41:26.981Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Hibernate Validator",
              "vendor": "Hibernate",
              "versions": [
                {
                  "lessThan": "6.2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "7.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.2.0"
                },
                {
                  "status": "unaffected",
                  "version": "7.0.0"
                }
              ]
            }
          ],
          "datePublic": "2020-11-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            },
            {
              "other": {
                "content": {
                  "id": "CVE-2025-35036",
                  "options": [
                    {
                      "Exploitation": "poc"
                    },
                    {
                      "Automatable": "no"
                    },
                    {
                      "Technical Impact": "partial"
                    }
                  ],
                  "role": "CISA Coordinator",
                  "timestamp": "2025-06-03T18:00:12.785957Z",
                  "version": "2.0.3"
                },
                "type": "ssvc"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-03T19:27:42.900Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://hibernate.org/validator/documentation/migration-guide/#6-2-0-cr1"
            },
            {
              "name": "url",
              "url": "https://in.relation.to/2021/01/06/hibernate-validator-700-62-final-released/#expression-language"
            },
            {
              "name": "url",
              "url": "https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext"
            },
            {
              "name": "url",
              "url": "https://hibernate.atlassian.net/browse/HV-1816"
            },
            {
              "name": "url",
              "url": "https://github.com/hibernate/hibernate-validator/compare/6.1.7.Final...6.2.0.Final"
            },
            {
              "name": "url",
              "url": "https://github.com/hibernate/hibernate-validator/commit/05f795bb7cf18856004f40e5042709e550ed0d6e"
            },
            {
              "name": "url",
              "url": "https://github.com/hibernate/hibernate-validator/commit/254858d9dcc4e7cd775d1b0f47f482218077c5e1"
            },
            {
              "name": "url",
              "url": "https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893"
            },
            {
              "name": "url",
              "url": "https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/"
            },
            {
              "name": "url",
              "url": "https://github.com/hibernate/hibernate-validator/commit/d2db40b9e7d22c7a0b44d7665242dfc7b4d14d78"
            },
            {
              "name": "url",
              "url": "https://github.com/hibernate/hibernate-validator/pull/1138"
            },
            {
              "name": "url",
              "url": "https://www.cve.org/CVERecord?id=CVE-2025-4428"
            },
            {
              "name": "url",
              "url": "https://www.cve.org/CVERecord?id=CVE-2020-5245"
            }
          ],
          "title": "hibernate-validator insecure default Expression Language interpolation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2025-35036",
        "datePublished": "2025-06-03T19:27:42.900Z",
        "dateReserved": "2025-04-15T20:56:24.404Z",
        "dateUpdated": "2025-06-05T18:41:26.981Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }