How to fix CVE-2025-35036?

Within 24 hours: Identify all applications using Hibernate Validator and document their versions and deployment locations. Within 7 days: Upgrade to Hibernate Validator 6.2.0 or 7.0.0 or later across all affected systems, prioritizing production environments. Within 30 days: Conduct code review of any custom validation implementations to ensure user-supplied input is not passed directly to constraint violation messages, and update security testing procedures to prevent similar issues.

Is Java affected by CVE-2025-35036?

Hibernate Validator versions before 6.2.0 and 7.0.0 contain a critical flaw that could allow attackers to execute arbitrary Java code or access sensitive data by injecting malicious expressions into validation error messages.

CVE-2025-35036

EUVD-2025-16774 HIGH

2025-06-03 9119a7d8-5eab-497f-8521-727c672e3725

GHSA-7v6m-28jr-rg84

7.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 17:04 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 17:04 euvd

EUVD-2025-16774

Patch Released

Mar 14, 2026 - 17:04 nvd

Patch available

CVE Published

Jun 03, 2025 - 20:15 nvd

HIGH 7.3

Description

Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data.

Analysis

A information disclosure vulnerability (CVSS 7.3) that allows an attacker. High severity vulnerability requiring prompt remediation. Vendor patch is available.

Technical Context

CWE-94 (Code Injection). CVSS 7.3 indicates high severity.

Affected Products

['Unspecified product']

Remediation

Apply the vendor-supplied patch immediately. Implement input validation and WAF rules as interim mitigation.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.5

CVSS: +36

POC: 0

Vendor Status

Ubuntu

Priority: Medium

libhibernate-validator-java

Release	Status	Version
xenial	needs-triage	-
bionic	needs-triage	-
focal	needs-triage	-
jammy	needs-triage	-
noble	needs-triage	-
upstream	needs-triage	-
oracular	ignored	end of life, was needs-triage
questing	needs-triage	-
plucky	ignored	end of life, was needs-triage

libhibernate-validator4-java

Release	Status	Version
jammy	needs-triage	-
noble	needs-triage	-
upstream	needs-triage	-
oracular	ignored	end of life, was needs-triage
focal	needs-triage	-
questing	needs-triage	-
plucky	ignored	end of life, was needs-triage

Debian

Bug #1107517

libhibernate-validator-java

Release	Status	Fixed Version	Urgency
bullseye	vulnerable	5.3.6-1	-
bookworm	vulnerable	5.3.6-2	-
forky, sid, trixie	vulnerable	5.3.6-3	-
(unstable)	fixed	(unfixed)	-

libhibernate-validator4-java

Release	Status	Fixed Version	Urgency
bullseye	vulnerable	4.3.4-4	-
forky, sid, bookworm, trixie	vulnerable	4.3.4-7	-
(unstable)	fixed	(unfixed)	-

CVE-2025-35036 vulnerability details – vuln.today

Back

CVE-2025-35036

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-35036

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code