CVE-2020-25638: Hibernate ORM SQL Injection Vulnerability

CVE-2020-25638 Overview

CVE-2020-25638 is a SQL injection vulnerability in Hibernate ORM versions up to and including 5.4.23.Final. The flaw resides in the Java Persistence API (JPA) Criteria API implementation, where literals embedded in SQL comments are not properly sanitized. Attackers can inject unsanitized SQL fragments through these literals when applications enable comment generation on queries. Successful exploitation allows access to unauthorized data and may enable further attacks against the underlying database. The vulnerability affects multiple downstream products including Quarkus, Debian Linux, and several Oracle enterprise applications that ship Hibernate as a dependency.

Critical Impact

Network-based SQL injection in a widely deployed Java ORM library, threatening data confidentiality and integrity across enterprise applications.

Affected Products

• Hibernate ORM versions up to and including 5.4.23.Final
• Debian Linux 9.0 and 10.0
• Quarkus framework
• Oracle Communications Cloud Native Core Console 1.9.0
• Oracle Retail Customer Management and Segmentation Foundation 19.0

Discovery Timeline

• 2020-12-02 - CVE-2020-25638 published to the National Vulnerability Database
• 2021-01 - Debian LTS security announcement published
• 2021-07 - Oracle Critical Patch Update addresses affected Oracle products
• 2025-04-23 - Last updated in NVD database

Technical Details for CVE-2020-25638

Vulnerability Analysis

The vulnerability is classified as a SQL Injection weakness [CWE-89] in the Hibernate ORM Criteria API. Hibernate is the most widely deployed object-relational mapping (ORM) framework in the Java ecosystem, providing query abstraction through the JPA Criteria API. When applications enable the hibernate.use_sql_comments setting, Hibernate appends user-controllable literal values as inline SQL comments to generated queries. The Criteria API implementation does not sanitize these literals before embedding them in the comment block.

An attacker who controls a query literal can terminate the comment context and inject arbitrary SQL clauses. The injected SQL is then sent to the database engine and executed in the security context of the application's database user. According to EPSS data, the vulnerability has a moderate probability of exploitation activity.

Root Cause

The root cause is missing input neutralization when serializing literal values into SQL comment markers. The Criteria API trusts that string-form literals are inert when wrapped in /* ... */ syntax. No escaping is performed for sequences that would close the comment delimiter, allowing breakout from the comment context into executable SQL.

Attack Vector

Exploitation requires the target application to use Hibernate's Criteria API and enable SQL comment generation. The attacker supplies crafted literal input through any application interface that flows into a Criteria query. The malicious literal embeds a comment-terminating sequence followed by attacker-controlled SQL. While the attack is network-accessible without authentication, exploitation complexity is elevated because the application must both enable comment generation and use literals in a vulnerable pattern.

No verified public proof-of-concept code is available. See the Red Hat Bug Report #1881353 for technical analysis from the upstream maintainers.

Detection Methods for CVE-2020-25638

Indicators of Compromise

• Database audit logs containing unexpected SQL statements originating from application service accounts, particularly statements with comment-delimiter sequences such as */ followed by additional SQL clauses.
• Application logs showing Criteria API queries with literal values containing SQL metacharacters or comment terminators.
• Anomalous database query volume or schema enumeration patterns from application tier hosts.

Detection Strategies

• Inventory Java applications and scan dependency manifests (pom.xml, build.gradle) for hibernate-core versions at or below 5.4.23.Final.
• Audit application configuration for hibernate.use_sql_comments=true combined with Criteria API usage.
• Enable database query logging and alert on statements containing comment-escape patterns in literal positions.

Monitoring Recommendations

• Forward database audit events and application logs to a centralized analytics platform for correlation against known SQL injection signatures.
• Monitor for unexpected UNION, SELECT, or schema-metadata access patterns originating from application database accounts.
• Track outbound data volumes from database servers to identify potential exfiltration following injection.

How to Mitigate CVE-2020-25638

Immediate Actions Required

• Upgrade Hibernate ORM to a fixed release beyond 5.4.23.Final.
• Apply Debian security updates referenced in DSA-4908 and the Debian LTS Announcement.
• Apply Oracle Critical Patch Updates for affected products as described in the Oracle Security Alert July 2021, April 2022, and July 2022.
• Audit application code for Criteria API usage with externally controllable literals.

Patch Information

The Hibernate project addressed this issue in releases following 5.4.23.Final. Upstream details are tracked in Red Hat Bug Report #1881353. Distribution-level fixes are available from Debian, and Oracle has shipped corrected components in subsequent Critical Patch Update bundles.

Workarounds

• Disable SQL comment generation by setting hibernate.use_sql_comments=false in the Hibernate configuration.
• Refactor Criteria queries to use parameterized expressions rather than inline literals where feasible.
• Deploy a database firewall or web application firewall rule that blocks comment-delimiter sequences in request parameters bound to query literals.

# Configuration example: disable SQL comment generation in Hibernate
# persistence.xml or hibernate.cfg.xml property
<property name="hibernate.use_sql_comments" value="false"/>

# Or in application.properties (Spring Boot / Quarkus)
hibernate.use_sql_comments=false
spring.jpa.properties.hibernate.use_sql_comments=false