Cyber Resilience

CVE-2025-35036

Medium

Published: 03 June 2025

Published
03 June 2025
Modified
18 September 2025
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0169 82.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-35036 is a medium-severity Code Injection (CWE-94) vulnerability in Redhat Hibernate Validator. Its CVSS base score is 6.9 (Medium).

Operationally, ranked in the top 17.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Hibernate Validator versions prior to 6.2.0 and 7.0.0 can, by default and depending on usage, perform Expression Language interpolation on user-supplied input within custom constraint violation messages. This behavior stems from the component's handling of HibernateConstraintValidatorContext and is tracked under CWE-94, with a CVSS 4.0 score of 6.9 reflecting network-reachable impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker able to influence constraint violation messages can supply crafted input that triggers EL evaluation, resulting in disclosure of sensitive information or execution of arbitrary Java code. The same class of issue has appeared in downstream products as CVE-2020-5245 and CVE-2025-4428.

The project addressed the flaw in the 6.2.0 and 7.0.0 releases by disabling EL interpolation for custom messages; the referenced commits and Hibernate Validator documentation explicitly advise against permitting user-controlled data in constraint violation messages. EPSS remains low, with a current value of 0.0169 and a peak of 0.0187.

EU & UK References

Vulnerability details

Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code.…

more

Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

redhat
hibernate validator
≤ 6.2.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References