Listen to this Post
How the CVE Works:
Hibernate Validator versions before 6.2.0.CR1 and 7.0.0.CR1 interpolate user-supplied input in constraint violation messages using Expression Language (EL). Attackers can craft malicious input that gets evaluated as EL expressions, leading to arbitrary Java code execution or sensitive data exposure. By default, Hibernate Validator processes custom validation messages with EL, allowing attackers to exploit this if user input is included in these messages. Patched versions (6.2.0.CR1, 7.0.0.CR1) disable EL interpolation in constraint messages, mitigating the risk.
DailyCVE Form:
Platform: Hibernate Validator
Version: <6.2.0.CR1, 7.0.0.Alpha1-CR1
Vulnerability: EL Injection
Severity: Moderate
Date: Jun 5, 2025
Prediction: Patch expected Jun 10, 2025
What Undercode Say:
Exploitation:
1. Malicious Payload Example:
@NotNull(message="${''.getClass().forName('java.lang.Runtime').getMethod('exec',''.getClass()).invoke(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null), 'calc')}")
private String exploit;
2. Triggering the Exploit:
Submit invalid input to a validated field containing EL expressions.
Mitigation:
1. Immediate Fix:
Upgrade to Hibernate Validator 6.2.0.CR1 or 7.0.0.CR1.
2. Workaround:
Disable EL interpolation manually:
ValidatorFactory factory = Validation.byDefaultProvider() .configure() .messageInterpolator(new ParameterMessageInterpolator()) .buildValidatorFactory();
Detection:
1. Check Version:
mvn dependency:tree | grep "hibernate-validator"
2. Log Analysis:
Monitor logs for EL expressions in validation messages.
Additional Protections:
1. Input Sanitization:
Reject input containing `${` or `{` sequences.
2. Security Scanning:
Use SAST tools to detect EL injection patterns.
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
