Code Injection in Hibernate Validator - CVE-2025-35036

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to Hibernate Validator by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

How to mitigate CVE-2025-35036

Sources

• https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext
• https://github.com/hibernate/hibernate-validator/commit/05f795bb7cf18856004f40e5042709e550ed0d6e
• https://github.com/hibernate/hibernate-validator/commit/254858d9dcc4e7cd775d1b0f47f482218077c5e1
• https://github.com/hibernate/hibernate-validator/commit/d2db40b9e7d22c7a0b44d7665242dfc7b4d14d78
• https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893
• https://github.com/hibernate/hibernate-validator/compare/6.1.7.Final...6.2.0.Final
• https://github.com/hibernate/hibernate-validator/pull/1138
• https://hibernate.atlassian.net/browse/HV-1816
• https://hibernate.org/validator/documentation/migration-guide/#6-2-0-cr1
• https://in.relation.to/2021/01/06/hibernate-validator-700-62-final-released/#expression-language
• https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/
• https://www.cve.org/CVERecord?id=CVE-2020-5245
• https://www.cve.org/CVERecord?id=CVE-2025-4428