{"id":"CVE-2025-35036","details":"Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data.","aliases":["GHSA-7v6m-28jr-rg84"],"modified":"2026-03-20T12:42:38.190234Z","published":"2025-06-03T20:15:21.993Z","references":[{"type":"WEB","url":"https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/"},{"type":"WEB","url":"https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext"},{"type":"WEB","url":"https://www.cve.org/CVERecord?id=CVE-2020-5245"},{"type":"WEB","url":"https://www.cve.org/CVERecord?id=CVE-2025-4428"},{"type":"ADVISORY","url":"https://hibernate.org/validator/documentation/migration-guide/#6-2-0-cr1"},{"type":"ADVISORY","url":"https://in.relation.to/2021/01/06/hibernate-validator-700-62-final-released/#expression-language"},{"type":"ADVISORY","url":"https://github.com/hibernate/hibernate-validator/compare/6.1.7.Final...6.2.0.Final"},{"type":"REPORT","url":"https://github.com/hibernate/hibernate-validator/pull/1138"},{"type":"REPORT","url":"https://hibernate.atlassian.net/browse/HV-1816"},{"type":"FIX","url":"https://github.com/hibernate/hibernate-validator/commit/254858d9dcc4e7cd775d1b0f47f482218077c5e1"},{"type":"FIX","url":"https://github.com/hibernate/hibernate-validator/commit/d2db40b9e7d22c7a0b44d7665242dfc7b4d14d78"},{"type":"FIX","url":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893"},{"type":"FIX","url":"https://github.com/hibernate/hibernate-validator/commit/05f795bb7cf18856004f40e5042709e550ed0d6e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hibernate/hibernate-validator","events":[{"introduced":"0"},{"fixed":"a883dcd11d7f9d8bdd8a2069a54cddd9213051c6"},{"fixed":"05f795bb7cf18856004f40e5042709e550ed0d6e"},{"fixed":"254858d9dcc4e7cd775d1b0f47f482218077c5e1"},{"fixed":"d2db40b9e7d22c7a0b44d7665242dfc7b4d14d78"},{"fixed":"e076293b0ee1bfa97b6e67d05ad9eee1ad77e893"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"6.2.0"}]}}],"versions":["4.2.0.Beta1","4.2.0.Beta2","4.2.0.CR1","4.2.0.Final","4.3.0.Alpha1","4.3.0.Beta1","4.3.0.CR1","4.3.0.Final","5.0.0.Alpha1","5.0.0.Alpha2","5.0.0.Beta1","5.0.0.CR1","5.0.0.CR2","5.0.0.CR3","5.0.0.CR4","5.0.0.CR5","5.0.0.Final","5.0.1.Final","5.1.0.Alpha1","5.1.0.Beta1","5.1.0.CR1","5.1.0.Final","5.1.1.Final","5.2.0.Alpha1","5.2.0.Beta1","5.2.0.CR1","5.2.0.Final","5.2.1.Final","5.2.2.Final","5.3.0.Alpha1","6.0.0.Alpha1","6.0.0.Alpha2","6.0.0.Beta1","6.0.0.Beta2","6.0.0.CR1","6.0.0.CR2","6.0.0.CR3","6.0.1.Final","6.0.2.Final","6.0.3.Final","6.0.4.Final","6.0.5.Final","6.0.6.Final","6.0.7.Final","6.0.8.Final","6.0.9.Final","6.1.0.Alpha1","6.1.0.Alpha2","6.1.0.Alpha3","6.1.0.Alpha4","6.1.0.Alpha5","6.1.0.Alpha6","6.1.0.Final","6.1.1.Final","6.1.2.Final","6.1.3.Final","6.1.4.Final","6.1.5.Final","6.1.6.Final","6.2.0.CR1","7.0.0.Alpha1","7.0.0.Alpha2","7.0.0.Alpha3","7.0.0.Alpha4","7.0.0.Alpha5","7.0.0.Alpha6","pre-validator3-removal"],"database_specific":{"vanir_signatures":[{"target":{"function":"testExpressionLanguageGraphNavigation","file":"engine/src/test/java/org/hibernate/validator/test/internal/engine/messageinterpolation/ExpressionLanguageMessageInterpolationTest.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-0334899a","digest":{"length":385,"function_hash":"53132354848921653279240027062658959689"}},{"target":{"file":"engine/src/test/java/org/hibernate/validator/test/internal/engine/messageinterpolation/ResourceBundleMessageInterpolatorTest.java"},"signature_version":"v1","signature_type":"Line","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-06a9fa0b","digest":{"line_hashes":["328843621724750911045197382627416352944","63462871454512816524441712637456389165","141495136267102090788741310730808188435","300226353204490617335826773033150457851"],"threshold":0.9}},{"target":{"function":"addBeanNode","file":"engine/src/main/java/org/hibernate/validator/internal/engine/constraintvalidation/ConstraintValidatorContextImpl.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-0a26aaaa","digest":{"length":122,"function_hash":"118961829237676041157907882110933172681"}},{"target":{"file":"engine/src/main/java/org/hibernate/validator/internal/engine/constraintvalidation/ConstraintViolationCreationContext.java"},"signature_version":"v1","signature_type":"Line","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-1778ad92","digest":{"line_hashes":["252976711605015100770589015207773339525","81612213826420689844617027361441926903","49842335275290622389380060669589282428","319511715499858770114531143619659726007","259161331718843706623118696590637806126","339239629288093485293896332514725614522","293247054999456889140532142176326152637","280753267405149529550899253669453402","278127830019826735559980297374235412415","7814232471475039296559063841335433329","242353338176685517733360769221301728786","108030884702838902059490566966704441784","273965060529734127197509964326947221189","112086653303994890717802167219725005404","293465200423660725388487217632307300341","252847525410677531402796531687400413884","145200491789580825992072777165995408283","174022087838843045563444434812901968055","333811806111647211646730250574373526345","77517983090291356066623063516793040620","45053727969367004905597851148198418050","157700001041495746771420018243400828225","98977356859280886952677950292432705533","91969324070293694164244086277185274772"],"threshold":0.9}},{"target":{"function":"addPropertyNode","file":"engine/src/main/java/org/hibernate/validator/internal/engine/constraintvalidation/ConstraintValidatorContextImpl.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-1870c33c","digest":{"length":124,"function_hash":"101539442712769972547130497967522792860"}},{"target":{"function":"testUnwrapToInterfaceTypesSucceeds","file":"engine/src/test/java/org/hibernate/validator/test/internal/engine/messageinterpolation/MessageInterpolatorContextTest.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-18f1e0e9","digest":{"length":389,"function_hash":"182463512985423025305762632926139476296"}},{"target":{"function":"isValid","file":"engine/src/test/java/org/hibernate/validator/test/internal/engine/constraintvalidation/HibernateConstraintValidatorContextTest.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-1b0ec8dc","digest":{"length":444,"function_hash":"320186364514718432697513677683025519954"}},{"target":{"function":"createMessageInterpolatorContext","file":"engine/src/test/java/org/hibernate/validator/test/internal/engine/messageinterpolation/ExpressionLanguageMessageInterpolationTest.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-225af0bf","digest":{"length":178,"function_hash":"322069844497792354756450850256853128732"}},{"target":{"file":"engine/src/main/java/org/hibernate/validator/internal/engine/constraintvalidation/CrossParameterConstraintValidatorContextImpl.java"},"signature_version":"v1","signature_type":"Line","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-24211891","digest":{"line_hashes":["38387867936390533170739482806854675986","277321435862514444981217096200225475611","155699438179952175279533588621241577934","268659563863049063498954337646863976804","242580364352010022366276071683865433950","223799848846861403431345878726891664947","131615149295265332088374276846106234545"],"threshold":0.9}},{"target":{"function":"toString","file":"engine/src/main/java/org/hibernate/validator/internal/engine/constraintvalidation/ConstraintViolationCreationContext.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-242aacce","digest":{"length":519,"function_hash":"150215448806144444760597034261810687753"}},{"target":{"file":"engine/src/main/java/org/hibernate/validator/constraintvalidation/HibernateConstraintValidatorContext.java"},"signature_version":"v1","signature_type":"Line","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-25a0d21f","digest":{"line_hashes":["236168143812879097945867485292420371215","85255378519784850102402222423277699163","147870071914341896662213355040564633787"],"threshold":0.9}},{"target":{"function":"testUnknownPropertyInExpressionLanguageGraphNavigation","file":"engine/src/test/java/org/hibernate/validator/test/internal/engine/messageinterpolation/ExpressionLanguageMessageInterpolationTest.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-26c427d3","digest":{"length":375,"function_hash":"229479361117463535132352275601934296276"}},{"target":{"file":"documentation/src/test/java/org/hibernate/validator/referenceguide/chapter06/elinjection/UnsafeValidator.java"},"signature_version":"v1","signature_type":"Line","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-2f410e7c","digest":{"line_hashes":["71997551215374492701240441375373535142","334588399728132077406397388111123997322","180769157430490928547612731158416404773","172716599806094832014954327183198626689","339997432328581059295834434718484566592","92257132658430021619774163274698172540","206846247734176531354044275749100357552"],"threshold":0.9}},{"target":{"function":"testContextWithRightDescriptorAndValueAndRootBeanClassIsPassedToMessageInterpolator","file":"engine/src/test/java/org/hibernate/validator/test/internal/engine/messageinterpolation/MessageInterpolatorContextTest.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-34741425","digest":{"length":772,"function_hash":"71637865267256942841001217981165246639"}},{"target":{"function":"createMessageInterpolatorContext","file":"engine/src/test/java/org/hibernate/validator/test/internal/engine/messageinterpolation/ResourceBundleMessageInterpolatorTest.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-38e3da6f","digest":{"length":178,"function_hash":"322069844497792354756450850256853128732"}},{"target":{"function":"toString","file":"engine/src/main/java/org/hibernate/validator/internal/engine/MessageInterpolatorContext.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-39065153","digest":{"length":619,"function_hash":"4310262439267592431776672412182088352"}},{"target":{"file":"engine/src/main/java/org/hibernate/validator/internal/engine/validationcontext/AbstractValidationContext.java"},"signature_version":"v1","signature_type":"Line","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-4066d9c7","digest":{"line_hashes":["146538989472556694872644078381621540727","93957680064760391513887592786260703683","18547144624469823422831169379288852720","23288580173192040452721356395902236592","76245036524336187015558907145919654287","155224907965182792173992255524558754890","222776808182164393411845750109986717056","230983729658282625490425648206599689076","109134630767748083164924505394973829891","173399126517783300557384777411789144662","106710059736167581041252931728841451324","289561740505808665574619345874885776409"],"threshold":0.9}},{"target":{"function":"DeferredNodeBuilder","file":"engine/src/main/java/org/hibernate/validator/internal/engine/constraintvalidation/ConstraintValidatorContextImpl.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-42773c63","digest":{"length":242,"function_hash":"114707050059878911044539726957396659871"}},{"target":{"function":"testUnwrapToImplementationCausesValidationException","file":"engine/src/test/java/org/hibernate/validator/test/internal/engine/messageinterpolation/MessageInterpolatorContextTest.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-4bc777dd","digest":{"length":205,"function_hash":"284676188077209406983594222499073673930"}},{"target":{"file":"engine/src/test/java/org/hibernate/validator/test/internal/engine/constraintvalidation/HibernateConstraintValidatorContextTest.java"},"signature_version":"v1","signature_type":"Line","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-4cbe6a35","digest":{"line_hashes":["192828133449171881287463534589596795672","258782749775617411577040580106295970292","181902101250175773934068675381500017644","321709463476339444363871647378776688203","219633620606923864528224774560746356427","137396512183191255767189036374300641803","340043999535238494663328363655145455363","189411554704779852633545860535602107822","83377909607897282877370548333793618540","272049234783027564629473693106447009741","36340731665768782122641646400052862703","23656731540633392009836219130248949407","274434896181436751731068125547618711798","199578658123826124742020656340344671093","178609634567605380351829726497567152655","248302705073372134222860494100845987732","292263653538384450957498607611727807485","117918414250858640740583120275892563607","131689720518313166178824819492137175001","115788208836197059236013001401395563458","239245146730443647901482247242316309105","218953132037519565898096568834106767477"],"threshold":0.9}},{"target":{"file":"engine/src/main/java/org/hibernate/validator/internal/engine/constraintvalidation/ConstraintValidatorContextImpl.java"},"signature_version":"v1","signature_type":"Line","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-51c3814f","digest":{"line_hashes":["75302642506013021970712017376565027409","191188447316302118228476633949073592138","31275596414752950564517468886334588453","282836842835265232366134297415486464729","326936698411891024112123492443571248463","169460484818618500679107837722436585925","152084696911754190919607957651823581034","113123727749761915198677850517317356482","60356947884909002159994241602263691268","174136667918840552496084160114728399386","283583674791811165359963811413306723130","280601835140757829637902263153536422684","339422170566771737652753061405619268344","205257326508397133840032269600947825206","97253006237033444358101051894404037437","220127976337202531064535311784018383431","242567758318819521194051089381381231158","827583641954826408725973861798097259","260141924113731937941573792499389912036","331415050944224993939248709078234341606","244727511195693283132532700656563418598","208875714768334822320780324127799252355","12414599282022076191343679618406202708","82189523761378525101981258843582436271","154986682181421223678096699976597531953","236580211557739289320736835675400859995","255221682464702952019928206880297597854","85387439296524535363464166332041677975","235222027269842621263662902414665630540","223090978164590468018489773816618281294","215348170940134901037612345055721887694","47171478230201316715340225157233624603","295507822992340555665116211115173673000","255682960820961492761707945148051376349","202619927385443025888550000205629602991","130597026911134893839103313961631339635","232757370692693366033070411402436942409","190381578794853372406803747438922908621","90418769186905964937368262793683170668","290543081323550566131877888049260841984","29184955742051900075580115682616317405","59052985948365669429312443058598524922","134918437737490118595302175678859777712","328589382416254929997587084391824345708","283701304722794681007752194271924987530","317905187721522973159963376424122588498","202619927385443025888550000205629602991","130597026911134893839103313961631339635","232757370692693366033070411402436942409","190381578794853372406803747438922908621","231204098947254908987699510524363838902","181888580651923405711423293017521988475","207796908118009688939038850298379792920","270215019285169412499494619287592048073","244804520369314259372998435965307769206","245180044563592485670673967694225057295","174177918938392751540310330956420948991","18504598670090203667605085496343132651","103211439212251734576588319578040713678","80387469855402904399937620223505890037","239064737386540178080514791282287473943","148813715201601151871145886087473314974","3502120077593174801766497001031956612","322207816760354314471492089254956718936","109072954989990454236436583214161400403","34313797698041476438121789688852324244","300357530430681973254265212713373396268","24913105452903778428539774032335289407","300627727587377030358333575488301676792","93442554700554637999098012225139235266","259397406907559618784772251615916282907","312327247692457646473290009332678721671","218436165320707701305239756706021622934","260001261463809818104905026199932748107","49721923595058342406119535458742375785","221185247011306936228648385686821868551","44456892691650776400508465087198708450","335178929986624545512801132637134004509","217216118416563071663043603791245666060","153776234851753381140079012350225687379","329531097348534137518141079115390052400"],"threshold":0.9}},{"target":{"function":"ConstraintViolationCreationContext","file":"engine/src/main/java/org/hibernate/validator/internal/engine/constraintvalidation/ConstraintViolationCreationContext.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-52b51e25","digest":{"length":168,"function_hash":"245012254926244949103702528907088192501"}},{"target":{"function":"determineGetterPropertySelectionStrategy","file":"engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorFactoryConfigurationHelper.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/254858d9dcc4e7cd775d1b0f47f482218077c5e1","id":"CVE-2025-35036-5701bd40","digest":{"length":671,"function_hash":"22496283116615380084080871322112798781"}},{"target":{"file":"engine/src/main/java/org/hibernate/validator/messageinterpolation/HibernateMessageInterpolatorContext.java"},"signature_version":"v1","signature_type":"Line","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-6d42f3c9","digest":{"line_hashes":["110923543789640694883415724689512853842","241583813382439228929298350693446472778"],"threshold":0.9}},{"target":{"function":"getDefaultConstraintViolationCreationContext","file":"engine/src/main/java/org/hibernate/validator/internal/engine/constraintvalidation/ConstraintValidatorContextImpl.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-6eebda3e","digest":{"length":284,"function_hash":"253530458490350894339114507089905577635"}},{"target":{"function":"testCallingWrongFormatterMethod","file":"engine/src/test/java/org/hibernate/validator/test/internal/engine/messageinterpolation/ExpressionLanguageMessageInterpolationTest.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-74135114","digest":{"length":485,"function_hash":"81972612243982897692564037740107213401"}},{"target":{"file":"engine/src/test/java/org/hibernate/validator/test/internal/engine/messageinterpolation/MessageInterpolatorContextTest.java"},"signature_version":"v1","signature_type":"Line","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-744ca6d5","digest":{"line_hashes":["141487912576755250126723616282138324425","36191677921575582579633968704697316549","310651499640288541905818109723176940118","335589872587221461480851734037017190523","100377945753545133392699240077287868123","234849947919067234173653139607424279813","238579143017607923819741045211000168907","56655715071936057179783438160948892837","211308299250145993964318369928031834268","188808449386523985836594909695718271476","109556309760996444458024936896141265390","250830822603696007956660033533563289698","312337018663294427240162436172812885009","38425689923588914145809079519403695212","60446806153132283673683867357652881362","339633595265030056398567319609999272679","288641536012936788037713063913160237937","121664340551973461082882307195728991220","278881713734445938333894053427460350329","234664967641115437495724262157101777479","180514103894426503246423074722215548083"],"threshold":0.9}},{"target":{"function":"MessageInterpolatorContext","file":"engine/src/main/java/org/hibernate/validator/internal/engine/MessageInterpolatorContext.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-7e6bfe6e","digest":{"length":262,"function_hash":"321987572718987299023939602142287973014"}},{"target":{"function":"addContainerElementNode","file":"engine/src/main/java/org/hibernate/validator/internal/engine/constraintvalidation/ConstraintValidatorContextImpl.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-802c4380","digest":{"length":158,"function_hash":"75031943349832346977188032822730056167"}},{"target":{"function":"determineBeanMetaDataClassNormalizer","file":"engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorFactoryConfigurationHelper.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/254858d9dcc4e7cd775d1b0f47f482218077c5e1","id":"CVE-2025-35036-894a84aa","digest":{"length":130,"function_hash":"196033088981482505071389232797826295625"}},{"target":{"file":"documentation/src/test/java/org/hibernate/validator/referenceguide/chapter06/elinjection/SafeValidator.java"},"signature_version":"v1","signature_type":"Line","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-8a036c6d","digest":{"line_hashes":["83069611283624432938652182100144968714","52410910449237198571242435955694478072","250975853427854872224079438918835633901","131627098810617914443333323116896571899"],"threshold":0.9}},{"target":{"function":"addConstraintFailure","file":"engine/src/main/java/org/hibernate/validator/internal/engine/validationcontext/AbstractValidationContext.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-8afb9386","digest":{"length":370,"function_hash":"288772436263012493430397418477259601254"}},{"target":{"file":"engine/src/test/java/org/hibernate/validator/test/internal/engine/messageinterpolation/ExpressionLanguageMessageInterpolationTest.java"},"signature_version":"v1","signature_type":"Line","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-8c3a32f9","digest":{"line_hashes":["44425713172553827314140862050185935303","258042919126549078072520715273470492957","309885182070036018117122406899521721678","328843621724750911045197382627416352944","256767799739813710009047963696459729059","40091213280098738043534143067876578242","37858878387282234424930161632719683833","328843621724750911045197382627416352944","143172787547419409215966138949155502496","21427931175884628912028086446254785894","112189258257602030906363422154801821802","328843621724750911045197382627416352944","83568797761224147036484295702934915792","197042291001205135927595771985428220194","198814716146440263825942372375617596306","328843621724750911045197382627416352944","57568660982679153168210582187108385188","57417526255925641604279271166568090900","237225020840227858833518252541006142816","328843621724750911045197382627416352944","63462871454512816524441712637456389165","297290554367787698656349876070332377462"],"threshold":0.9}},{"target":{"function":"addConstraintViolation","file":"engine/src/main/java/org/hibernate/validator/internal/engine/constraintvalidation/ConstraintValidatorContextImpl.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-9376a80f","digest":{"length":514,"function_hash":"182086881255693514583832724558011700261"}},{"target":{"file":"engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorFactoryConfigurationHelper.java"},"signature_version":"v1","signature_type":"Line","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/254858d9dcc4e7cd775d1b0f47f482218077c5e1","id":"CVE-2025-35036-9583359d","digest":{"line_hashes":["300508920332376846227292194512892751279","293229380553587770168195937527710720953","98719507562942298765770930828045545608","30779778829022247796263093577854660258","149177095483548240214520711492150855707","100671570546248295997671331900354552194","8399705681764756983382493063927686752","48307567701072880923167990421117396641","63104721597028361712218511251603430504","29991020944209829490063779004517234313","36790903345555824160024909389473116911","32255667107180162032086822684291292810","11830285366136646454119135187991724607","165705029323554438772806123553767859675","157458670475047157876174661302323466807","89472979370002872438240086455737397558","79967878231520499940593594254935225910","141564700687590939048540240335316259145","35159135555249925748131976404832423062","279890629253226645980772479764797734825","130476103047549705179310112799699359775","230114624849757049758722275797276927823","83752894769842327037381192240342773450","14892274544760176178005121579911613123"],"threshold":0.9}},{"target":{"function":"addBeanNode","file":"engine/src/main/java/org/hibernate/validator/internal/engine/constraintvalidation/ConstraintValidatorContextImpl.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-960db5d5","digest":{"length":107,"function_hash":"275652114291157372530015732940304659704"}},{"target":{"function":"addContainerElementNode","file":"engine/src/main/java/org/hibernate/validator/internal/engine/constraintvalidation/ConstraintValidatorContextImpl.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-98cd9faf","digest":{"length":143,"function_hash":"246938003449818050080012172225799269922"}},{"target":{"file":"engine/src/main/java/org/hibernate/validator/internal/engine/MessageInterpolatorContext.java"},"signature_version":"v1","signature_type":"Line","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-993a1ede","digest":{"line_hashes":["79146815997352389213525901249184182964","312613274379572972531238141275071643354","21242178813967657957240001781074793938","207495576159389886537827867810243661805","234231925671442658754026083141994932411","131530756527217823436809021114966268124","62096949600491697021977440434675967343","129159135180131998985333932217494913441","228748236975162336095843322576349570047","302682607306612269766217297397768216566","35246827927653820391998359832603085540","104095751116485574523123755926166582209","29331507241852163421685481145321137986","210771485777753933853398869254759030773","221719447708709642718196799221664576925","91669312958107889278626788734146669018","45288154317212400902133119833496776388","116616783052624454758739117334616353192","16797255232932359414861683676904886426","24091121871561732578608309881457133031","303988681080770247937197768309820339192","270483488507467513726693011156853947430","79091752493553847806907672888850059932"],"threshold":0.9}},{"target":{"function":"testLocaleBasedFormatting","file":"engine/src/test/java/org/hibernate/validator/test/internal/engine/messageinterpolation/ExpressionLanguageMessageInterpolationTest.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-99fd5767","digest":{"length":561,"function_hash":"100621570027044874434687083268271006005"}},{"target":{"function":"determineLocaleResolver","file":"engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorFactoryConfigurationHelper.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/254858d9dcc4e7cd775d1b0f47f482218077c5e1","id":"CVE-2025-35036-9f0191c7","digest":{"length":633,"function_hash":"35143339927858444071186802379749373898"}},{"target":{"function":"DeferredNodeBuilder","file":"engine/src/main/java/org/hibernate/validator/internal/engine/constraintvalidation/ConstraintValidatorContextImpl.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-a5e02d89","digest":{"length":229,"function_hash":"255450829795776674549810895914813506316"}},{"target":{"function":"interpolate","file":"engine/src/main/java/org/hibernate/validator/internal/engine/validationcontext/AbstractValidationContext.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-a7fe350a","digest":{"length":370,"function_hash":"197322020073140837079903820087008160959"}},{"target":{"function":"isValid","file":"documentation/src/test/java/org/hibernate/validator/referenceguide/chapter06/elinjection/SafeValidator.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-afc439f9","digest":{"length":336,"function_hash":"77300442245723970462611723788490232703"}},{"target":{"function":"testGetPropertyPath","file":"engine/src/test/java/org/hibernate/validator/test/internal/engine/messageinterpolation/MessageInterpolatorContextTest.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-b1514aa5","digest":{"length":282,"function_hash":"171530886758935807821933684758464826112"}},{"target":{"function":"addBeanNode","file":"engine/src/main/java/org/hibernate/validator/internal/engine/constraintvalidation/ConstraintValidatorContextImpl.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-be01d4e6","digest":{"length":107,"function_hash":"275652114291157372530015732940304659704"}},{"target":{"function":"determineCustomViolationExpressionLanguageFeatureLevel","file":"engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorFactoryConfigurationHelper.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/254858d9dcc4e7cd775d1b0f47f482218077c5e1","id":"CVE-2025-35036-c83166f8","digest":{"length":528,"function_hash":"209019870719797936976058663190231917796"}},{"target":{"function":"ConstraintViolationCreationContext","file":"engine/src/main/java/org/hibernate/validator/internal/engine/constraintvalidation/ConstraintViolationCreationContext.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-d17e19ab","digest":{"length":232,"function_hash":"332628535923395954660255908781981696903"}},{"target":{"function":"isValid","file":"documentation/src/test/java/org/hibernate/validator/referenceguide/chapter06/elinjection/UnsafeValidator.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-d3ca4f84","digest":{"length":242,"function_hash":"263240472940749380765318663146303295178"}},{"target":{"function":"testGetRootBeanType","file":"engine/src/test/java/org/hibernate/validator/test/internal/engine/messageinterpolation/MessageInterpolatorContextTest.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-df9f39ca","digest":{"length":269,"function_hash":"310933027154874388180006298246625639129"}},{"target":{"file":"engine/src/main/java/org/hibernate/validator/internal/util/logging/Log.java"},"signature_version":"v1","signature_type":"Line","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-e10ea482","digest":{"line_hashes":["24306329563981798343797185915355204008","41415106509983374281324708908786810329"],"threshold":0.9}},{"target":{"function":"determinePropertyNodeNameProvider","file":"engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorFactoryConfigurationHelper.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/254858d9dcc4e7cd775d1b0f47f482218077c5e1","id":"CVE-2025-35036-e700dfb5","digest":{"length":657,"function_hash":"133691556326701045838224880619560621574"}},{"target":{"function":"addPropertyNode","file":"engine/src/main/java/org/hibernate/validator/internal/engine/constraintvalidation/ConstraintValidatorContextImpl.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-e8b0fcb9","digest":{"length":139,"function_hash":"328199606188430503672231761461557394831"}},{"target":{"function":"addContainerElementNode","file":"engine/src/main/java/org/hibernate/validator/internal/engine/constraintvalidation/ConstraintValidatorContextImpl.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-eda3d838","digest":{"length":158,"function_hash":"75031943349832346977188032822730056167"}},{"target":{"file":"engine/src/main/java/org/hibernate/validator/messageinterpolation/AbstractMessageInterpolator.java"},"signature_version":"v1","signature_type":"Line","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-f2fe63ac","digest":{"line_hashes":["150091159088893480374004662103753937770","149776191808360603237250178051016251172","192900778300729176162790019297947890108","73448638037801557412208459045151419391","337083005188681222142112405731205839778","318781136323828133990591087597934345129","56331472911362572563310142999012351559","276940979896077165260905938238864837326"],"threshold":0.9}},{"target":{"function":"interpolateMessage","file":"engine/src/main/java/org/hibernate/validator/messageinterpolation/AbstractMessageInterpolator.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-f84abbf7","digest":{"length":701,"function_hash":"185537251007954464180686692451563955467"}},{"target":{"function":"determineConstraintExpressionLanguageFeatureLevel","file":"engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorFactoryConfigurationHelper.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/254858d9dcc4e7cd775d1b0f47f482218077c5e1","id":"CVE-2025-35036-fb060a85","digest":{"length":546,"function_hash":"1765656540626946753989912374371144364"}},{"target":{"function":"addPropertyNode","file":"engine/src/main/java/org/hibernate/validator/internal/engine/constraintvalidation/ConstraintValidatorContextImpl.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893","id":"CVE-2025-35036-ff83e445","digest":{"length":139,"function_hash":"328199606188430503672231761461557394831"}}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-35036.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}