CVE-2025-35036 Overview
CVE-2025-35036 is a Code Injection vulnerability affecting Hibernate Validator before versions 6.2.0 and 7.0.0. By default and depending on how it is used, vulnerable versions may interpolate user-supplied input in constraint violation messages with Expression Language (EL). This could allow an attacker to access sensitive information or execute arbitrary Java code on the target system.
Hibernate Validator as of versions 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. This vulnerability is related to downstream vulnerabilities CVE-2020-5245 and CVE-2025-4428, which both involve Expression Language interpolation of user-supplied data.
Critical Impact
Attackers can exploit EL injection to execute arbitrary Java code or extract sensitive data from applications using vulnerable Hibernate Validator versions.
Affected Products
- Red Hat Hibernate Validator versions prior to 6.2.0
- Red Hat Hibernate Validator versions prior to 7.0.0
- Applications using custom constraint validators with user-supplied input in violation messages
Discovery Timeline
- June 3, 2025 - CVE-2025-35036 published to NVD
- September 18, 2025 - Last updated in NVD database
Technical Details for CVE-2025-35036
Vulnerability Analysis
The vulnerability exists in the constraint violation message handling mechanism within Hibernate Validator. When developers create custom constraint validators and include user-supplied data in the violation message, the Expression Language engine processes this input, enabling injection attacks.
Expression Language in Java EE/Jakarta EE applications provides a powerful mechanism for dynamic content evaluation. However, when user-controlled input is passed to the EL interpreter without proper sanitization, attackers can craft malicious payloads that execute arbitrary Java code or access sensitive application context data.
The root issue stems from the default behavior of Hibernate Validator's HibernateConstraintValidatorContext which would process EL expressions in custom constraint violation messages. This design choice, while convenient for developers, created a dangerous attack surface when combined with unsanitized user input.
Root Cause
The vulnerability is caused by unsafe Expression Language interpolation in constraint violation messages. When custom constraint validators build violation messages using HibernateConstraintValidatorContext.buildConstraintViolationWithTemplate() and include user-supplied input, the EL engine evaluates any embedded expressions. This allows attackers to inject EL expressions that can invoke arbitrary Java methods, access class loaders, and execute system commands.
The Hibernate Issue HV-1816 documents the security concerns that led to the architectural changes in versions 6.2.0 and 7.0.0. The fix involved disabling EL interpolation by default and requiring explicit opt-in for such functionality.
Attack Vector
The attack vector is network-based and does not require authentication. An attacker can exploit this vulnerability by submitting specially crafted input to application endpoints that perform validation using Hibernate Validator. The malicious input contains EL expressions that, when included in a constraint violation message and processed by the vulnerable EL interpolation logic, execute the attacker's payload.
Common exploitation scenarios include:
- Injecting EL expressions through form fields that trigger validation errors
- Exploiting API endpoints that validate request bodies and return detailed error messages
- Targeting applications that echo user input in validation error responses
The Watchtowr Exploit Analysis provides detailed technical insights into similar EL injection exploitation techniques affecting downstream products.
Detection Methods for CVE-2025-35036
Indicators of Compromise
- Unusual EL expression patterns in application logs such as ${...} or #{...} in user input fields
- Evidence of java.lang.Runtime or ProcessBuilder invocation attempts in validation error contexts
- Unexpected outbound network connections originating from application processes
- Application exceptions related to EL evaluation in constraint validation stack traces
Detection Strategies
- Monitor application logs for EL expression syntax patterns in user-submitted data
- Implement Web Application Firewall (WAF) rules to detect and block common EL injection payloads
- Deploy runtime application self-protection (RASP) solutions to detect EL injection attempts
- Review application code for use of HibernateConstraintValidatorContext.buildConstraintViolationWithTemplate() with user input
Monitoring Recommendations
- Enable verbose logging for Hibernate Validator components to capture validation processing details
- Configure security monitoring tools to alert on Java process spawning from web application contexts
- Implement centralized logging to correlate potential exploitation attempts across application instances
- Set up alerts for validation-related exceptions that may indicate exploitation attempts
How to Mitigate CVE-2025-35036
Immediate Actions Required
- Upgrade Hibernate Validator to version 6.2.0.Final or later for the 6.x branch
- Upgrade Hibernate Validator to version 7.0.0.Final or later for the 7.x branch
- Audit custom constraint validators for user input in violation messages
- Implement input validation and sanitization at application entry points
Patch Information
The vulnerability has been addressed in Hibernate Validator versions 6.2.0 and 7.0.0. Multiple commits were applied to resolve this issue:
The Hibernate Validator Migration Guide provides detailed upgrade instructions. The version comparison between 6.1.7.Final and 6.2.0.Final shows all security-related changes.
Workarounds
- Avoid including user-supplied input directly in constraint violation messages
- Sanitize and escape all user input before including it in validation error messages
- Use parameterized messages with message codes instead of dynamic string construction
- Consider disabling EL interpolation in constraint messages if upgrading is not immediately possible
# Maven dependency update example
# Update pom.xml to use patched version
# For 6.x branch:
# <dependency>
# <groupId>org.hibernate.validator</groupId>
# <artifactId>hibernate-validator</artifactId>
# <version>6.2.0.Final</version>
# </dependency>
# Verify current Hibernate Validator version
mvn dependency:tree -Dincludes=org.hibernate.validator:hibernate-validator
# Check for vulnerable versions in project
grep -r "hibernate-validator" pom.xml build.gradle
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
