Improper Input Validation in Hibernate Validator Affects Sensitive Data Exposure
CVE-2025-35036
6.9MEDIUM
What is CVE-2025-35036?
Hibernate Validator versions prior to 6.2.0 and 7.0.0 may allow attackers to manipulate user-supplied input within constraint violation messages utilizing Expression Language. This poses a risk of exposing sensitive information or executing arbitrary Java code. The updated versions have addressed this issue and strongly recommend against incorporating user data in constraint violation messages, ensuring enhanced security against such vulnerabilities.
Affected Version(s)
Hibernate Validator 0 < 6.2.0
Hibernate Validator 0 < 7.0.0
Hibernate Validator 6.2.0