CVE-2025-35036 is a high-severity vulnerability identified in the Hibernate Validator component of the Hibernate project, a widely used Java framework for data validation. The vulnerability arises from improper control of code generation, specifically CWE-94: Improper Control of Generation of Code, commonly known as code injection. Prior to versions 6.2.0 and 7.0.0, Hibernate Validator interpolates user-supplied input within constraint violation messages using Expression Language (EL). This interpolation can be exploited by an attacker to inject malicious EL expressions, potentially leading to arbitrary Java code execution or unauthorized access to sensitive information. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The vulnerability affects all versions before 6.2.0 and 7.0.0, with no patch links provided yet, but the vendor strongly recommends upgrading to these fixed versions. This issue is related to previous vulnerabilities CVE-2020-5245 and CVE-2025-4428, which also involved unsafe EL interpolation of user input. The CVSS score of 7.3 reflects the high impact on confidentiality, integrity, and availability, as arbitrary code execution can lead to data breaches, system compromise, and denial of service. The vulnerability is particularly dangerous because it allows remote, unauthenticated attackers to execute code without user interaction, making it a critical risk in environments where Hibernate Validator is used to validate user input in web applications or services.

For European organizations, the impact of CVE-2025-35036 can be significant, especially for those relying on Java-based enterprise applications using Hibernate Validator for input validation. Exploitation could lead to unauthorized access to sensitive personal data, intellectual property, or critical business information, violating GDPR and other data protection regulations. The ability to execute arbitrary code remotely can result in full system compromise, data exfiltration, ransomware deployment, or disruption of critical services. This poses a direct threat to sectors such as finance, healthcare, government, and telecommunications, which often use Java frameworks extensively. Additionally, the breach of confidentiality and integrity can damage organizational reputation and lead to regulatory fines. Since the vulnerability requires no authentication or user interaction, automated exploitation attempts could rapidly spread, increasing the risk of widespread incidents across European enterprises.

European organizations should immediately assess their use of Hibernate Validator and identify affected versions prior to 6.2.0 and 7.0.0. The primary mitigation is to upgrade to Hibernate Validator version 6.2.0 or 7.0.0 or later, where the unsafe EL interpolation has been removed. Until upgrades can be applied, organizations should audit and sanitize all user inputs that may be included in constraint violation messages to prevent injection of malicious EL expressions. Implementing strict input validation and output encoding can reduce risk. Additionally, disabling or restricting Expression Language evaluation in validation messages, if configurable, is recommended. Organizations should monitor network traffic and logs for suspicious EL expressions or unusual error messages indicative of exploitation attempts. Employing runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block EL injection patterns can provide temporary defense. Finally, security teams should update incident response plans to include this vulnerability and educate developers about safe usage of validation frameworks.