Bug#1107517: libhibernate-validator-java: CVE-2025-35036
Salvatore Bonaccorso
carnil at debian.org
Sun Jun 8 15:08:03 BST 2025
Source: libhibernate-validator-java
Version: 5.3.6-3
Severity: important
Tags: upstream
Forwarded: https://hibernate.atlassian.net/browse/HV-1816
X-Debbugs-Cc: carnil at debian.org
Control: clone -1 -2
Control: reassign -2 src:libhibernate-validator4-java 4.3.4-7
Control: retitle -2 libhibernate-validator4-java: CVE-2025-35036
Hi,
The following vulnerability was published for hibernate-validator.
Note I'm filling this report to hope to get some help on properly
assess this issue for the older versions in Debian.
CVE-2025-35036[0]:
| Hibernate Validator before 6.2.0 and 7.0.0, by default and depending
| how it is used, may interpolate user-supplied input in a constraint
| violation message with Expression Language. This could allow an
| attacker to access sensitive information or execute arbitrary Java
| code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer
| interpolates custom constraint violation messages with Expression
| Language and strongly recommends not allowing user-supplied input in
| constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are
| examples of related, downstream vulnerabilities involving Expression
| Language intepolation of user-supplied data.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-35036
https://www.cve.org/CVERecord?id=CVE-2025-35036
[1] https://hibernate.atlassian.net/browse/HV-1816
[2] https://github.com/hibernate/hibernate-validator/pull/1138
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list