CVE-2025-35036
Expression Language Injection in Hibernate Validator Enables Code Execution
Publication date: 2025-06-03
Last updated on: 2025-06-03
Assigner: 9119a7d8-5eab-497f-8521-727c672e3725
Description
Description
Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Affected Vendors & Products
| Vendor | Product | Version |
|---|---|---|
| hibernate | validator | * |
| hibernate | validator | * |
| hibernate | validator | * |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-94 | Improper Control of Generation of Code ('Code Injection') |
AI Powered Q&A
Can you explain this vulnerability to me?
How can this vulnerability impact me? :
How can this vulnerability be detected on my network or system? Can you suggest some commands?
What immediate steps should I take to mitigate this vulnerability?
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
Meta Information
CVE Publication Date:
2025-06-03
CVE Last Modified Date:
2025-06-03
Report Generation Date:
2025-07-14
AI Powered Q&A Generation:
2025-06-03
EPSS Last Evaluated Date:
2025-07-02
NVD Report Link: