CVE-2025-35036
unknown
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
โ
Description
Hibernate Validator may interpolate user-supplied input in a constraint violation message with Expression Language
Predictions
Exploit likelihood
30%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | affected | |
| debian | sid | affected | |
| debian | trixie | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.hibernate.validator:hibernate-validator | <6.2.0.CR1 | 6.2.0.CR1 |
| Maven | org.hibernate.validator:hibernate-validator | >=7.0.0.Alpha1,<7.0.0.CR1 | 7.0.0.CR1 |
| Maven | org.hibernate:hibernate-validator | <6.2.0.CR1 | 6.2.0.CR1 |
| Maven | org.hibernate:hibernate-validator | >=7.0.0.Alpha1,<7.0.0.CR1 | 7.0.0.CR1 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-35036
- https://github.com/hibernate/hibernate-validator/pull/1138
- https://github.com/hibernate/hibernate-validator/commit/05f795bb7cf18856004f40e5042709e550ed0d6e
- https://github.com/hibernate/hibernate-validator/commit/254858d9dcc4e7cd775d1b0f47f482218077c5e1
- https://github.com/hibernate/hibernate-validator/commit/d2db40b9e7d22c7a0b44d7665242dfc7b4d14d78
- https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893
- https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext
- https://github.com/hibernate/hibernate-validator
- https://github.com/hibernate/hibernate-validator/compare/6.1.7.Final...6.2.0.Final
- https://hibernate.atlassian.net/browse/HV-1816
- https://hibernate.org/validator/documentation/migration-guide/#6-2-0-cr1
- https://in.relation.to/2021/01/06/hibernate-validator-700-62-final-released/#expression-language
- https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428
- https://www.cve.org/CVERecord?id=CVE-2020-5245
- https://www.cve.org/CVERecord?id=CVE-2025-4428
- https://security-tracker.debian.org/tracker/CVE-2025-35036
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.