{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-35036", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "state": "PUBLISHED", "assignerShortName": "cisa-cg", "dateReserved": "2025-04-15T20:56:24.404Z", "datePublished": "2025-06-03T19:27:42.900Z", "dateUpdated": "2025-06-05T18:41:26.981Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data."}], "affected": [{"vendor": "Hibernate", "product": "Hibernate Validator", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "6.2.0", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "7.0.0", "versionType": "custom"}, {"version": "6.2.0", "status": "unaffected"}, {"version": "7.0.0", "status": "unaffected"}]}], "problemTypes": [{"descriptions": [{"description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE", "cweId": "CWE-94"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-06-03T18:00:12.785957Z", "id": "CVE-2025-35036", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "hibernate-validator insecure default Expression Language interpolation", "references": [{"name": "url", "url": "https://hibernate.org/validator/documentation/migration-guide/#6-2-0-cr1"}, {"name": "url", "url": "https://in.relation.to/2021/01/06/hibernate-validator-700-62-final-released/#expression-language"}, {"name": "url", "url": "https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext"}, {"name": "url", "url": "https://hibernate.atlassian.net/browse/HV-1816"}, {"name": "url", "url": "https://github.com/hibernate/hibernate-validator/compare/6.1.7.Final...6.2.0.Final"}, {"name": "url", "url": "https://github.com/hibernate/hibernate-validator/commit/05f795bb7cf18856004f40e5042709e550ed0d6e"}, {"name": "url", "url": "https://github.com/hibernate/hibernate-validator/commit/254858d9dcc4e7cd775d1b0f47f482218077c5e1"}, {"name": "url", "url": "https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893"}, {"name": "url", "url": "https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/"}, {"name": "url", "url": "https://github.com/hibernate/hibernate-validator/commit/d2db40b9e7d22c7a0b44d7665242dfc7b4d14d78"}, {"name": "url", "url": "https://github.com/hibernate/hibernate-validator/pull/1138"}, {"name": "url", "url": "https://www.cve.org/CVERecord?id=CVE-2025-4428"}, {"name": "url", "url": "https://www.cve.org/CVERecord?id=CVE-2020-5245"}], "datePublic": "2020-11-25T00:00:00.000Z", "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2025-06-03T19:27:42.900Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-05T18:41:11.769413Z", "id": "CVE-2025-35036", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-05T18:41:26.981Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-35036", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-05T18:41:11.769413Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-05T18:41:22.596Z"}}], "cna": {"title": "hibernate-validator insecure default Expression Language interpolation", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-35036", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-03T18:00:12.785957Z"}}}], "affected": [{"vendor": "Hibernate", "product": "Hibernate Validator", "versions": [{"status": "affected", "version": "0", "lessThan": "6.2.0", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "7.0.0", "versionType": "custom"}, {"status": "unaffected", "version": "6.2.0"}, {"status": "unaffected", "version": "7.0.0"}], "defaultStatus": "unknown"}], "datePublic": "2020-11-25T00:00:00.000Z", "references": [{"url": "https://hibernate.org/validator/documentation/migration-guide/#6-2-0-cr1", "name": "url"}, {"url": "https://in.relation.to/2021/01/06/hibernate-validator-700-62-final-released/#expression-language", "name": "url"}, {"url": "https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext", "name": "url"}, {"url": "https://hibernate.atlassian.net/browse/HV-1816", "name": "url"}, {"url": "https://github.com/hibernate/hibernate-validator/compare/6.1.7.Final...6.2.0.Final", "name": "url"}, {"url": "https://github.com/hibernate/hibernate-validator/commit/05f795bb7cf18856004f40e5042709e550ed0d6e", "name": "url"}, {"url": "https://github.com/hibernate/hibernate-validator/commit/254858d9dcc4e7cd775d1b0f47f482218077c5e1", "name": "url"}, {"url": "https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893", "name": "url"}, {"url": "https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/", "name": "url"}, {"url": "https://github.com/hibernate/hibernate-validator/commit/d2db40b9e7d22c7a0b44d7665242dfc7b4d14d78", "name": "url"}, {"url": "https://github.com/hibernate/hibernate-validator/pull/1138", "name": "url"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-4428", "name": "url"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2020-5245", "name": "url"}], "descriptions": [{"lang": "en", "value": "Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2025-06-03T19:27:42.900Z"}}}, "cveMetadata": {"cveId": "CVE-2025-35036", "state": "PUBLISHED", "dateUpdated": "2025-06-05T18:41:26.981Z", "dateReserved": "2025-04-15T20:56:24.404Z", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "datePublished": "2025-06-03T19:27:42.900Z", "assignerShortName": "cisa-cg"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data."}, {"lang": "es", "value": "Hibernate Validator, en versiones anteriores a la 6.2.0 y la 7.0.0, puede, de forma predeterminada y seg\u00fan su uso, interpolar la informaci\u00f3n proporcionada por el usuario en un mensaje de violaci\u00f3n de restricciones con Expression Language. Esto podr\u00eda permitir a un atacante acceder a informaci\u00f3n confidencial o ejecutar c\u00f3digo Java arbitrario. Hibernate Validator, a partir de la 6.2.0 y la 7.0.0, ya no interpola mensajes personalizados de violaci\u00f3n de restricciones con Expression Language y recomienda encarecidamente no permitir la informaci\u00f3n proporcionada por el usuario en dichos mensajes. CVE-2020-5245 y CVE-2025-4428 son ejemplos de vulnerabilidades relacionadas con la interpolaci\u00f3n de datos proporcionados por el usuario en Expression Language."}], "id": "CVE-2025-35036", "lastModified": "2025-06-04T14:54:33.783", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}, "published": "2025-06-03T20:15:21.993", "references": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://github.com/hibernate/hibernate-validator/commit/05f795bb7cf18856004f40e5042709e550ed0d6e"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://github.com/hibernate/hibernate-validator/commit/254858d9dcc4e7cd775d1b0f47f482218077c5e1"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://github.com/hibernate/hibernate-validator/commit/d2db40b9e7d22c7a0b44d7665242dfc7b4d14d78"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://github.com/hibernate/hibernate-validator/compare/6.1.7.Final...6.2.0.Final"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://github.com/hibernate/hibernate-validator/pull/1138"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://hibernate.atlassian.net/browse/HV-1816"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://hibernate.org/validator/documentation/migration-guide/#6-2-0-cr1"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://in.relation.to/2021/01/06/hibernate-validator-700-62-final-released/#expression-language"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://www.cve.org/CVERecord?id=CVE-2020-5245"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://www.cve.org/CVERecord?id=CVE-2025-4428"}], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}

{"bugzilla": {"description": "hibernate-validator: Hibernate Validator Expression Language Injection", "id": "2370118", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370118"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-94", "details": ["Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data.", "A flaw was found in Hibernate Validator. This vulnerability allows unauthorized access to sensitive information or the execution of arbitrary Java code by interpolating user-supplied input in a constraint violation message with an Expression Language."], "mitigation": {"lang": "en:us", "value": "Users who are unable to upgrade should manually disable Expression Language interpolation to prevent EL injection. If disabling is not feasible, carefully sanitize and validate any dynamic input before inclusion."}, "name": "CVE-2025-35036", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Affected", "package_name": "hibernate-validator", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pki-core:10.6/resteasy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pki-deps:10.6/resteasy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "resteasy", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "hibernate-validator", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "hibernate-validator", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Affected", "package_name": "hibernate-validator", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "hibernate-validator", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "hibernate-validator", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Affected", "package_name": "hibernate-validator", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "hibernate-validator", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Affected", "package_name": "hibernate-validator", "product_name": "streams for Apache Kafka"}], "public_date": "2025-06-03T19:27:42Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-35036\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-35036\nhttps://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext\nhttps://github.com/hibernate/hibernate-validator/commit/05f795bb7cf18856004f40e5042709e550ed0d6e\nhttps://github.com/hibernate/hibernate-validator/commit/254858d9dcc4e7cd775d1b0f47f482218077c5e1\nhttps://github.com/hibernate/hibernate-validator/commit/d2db40b9e7d22c7a0b44d7665242dfc7b4d14d78\nhttps://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893\nhttps://github.com/hibernate/hibernate-validator/compare/6.1.7.Final...6.2.0.Final\nhttps://github.com/hibernate/hibernate-validator/pull/1138\nhttps://hibernate.atlassian.net/browse/HV-1816\nhttps://hibernate.org/validator/documentation/migration-guide/#6-2-0-cr1\nhttps://in.relation.to/2021/01/06/hibernate-validator-700-62-final-released/#expression-language\nhttps://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/\nhttps://www.cve.org/CVERecord?id=CVE-2020-5245\nhttps://www.cve.org/CVERecord?id=CVE-2025-4428"], "statement": "This vulnerability marked as Important rather than Moderate because it enables Expression Language (EL) injection through user-supplied input embedded in validation messages \u2014 effectively escalating a benign validation failure into a potential Remote Code Execution (RCE) vector. In environments where EL expressions have access to application internals, attackers can craft payloads that access sensitive Java objects, invoke arbitrary methods, or manipulate server-side logic. The fact that this behavior is triggered by the default configuration \u2014 without any explicit developer error \u2014 further amplifies the risk.", "threat_severity": "Important"}