Hibernate Validator Expression Language Injection Vulnerability Allowing Remote Code Execution

A remote code execution vulnerability has been identified in Hibernate Validator versions prior to 6.2.0 and 7.0.0. This issue arises because the validator may interpolate user-supplied input into constraint violation messages using Expression Language (EL). As a result, an attacker could potentially execute arbitrary Java code or access sensitive information. In the affected versions, custom constraint violation messages are interpolated with EL by default, creating a risk if user input is not properly escaped. The vulnerability has been addressed in Hibernate Validator 6.2.0 and 7.0.0, where the default behavior was changed to disable EL for custom violations, and guidance was provided to avoid allowing user input in violation messages.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the application is running, with the same privileges as the user executing the code.

Reproduction

To reproduce this vulnerability, create a custom constraint validator that includes user input in the violation message without proper escaping. When the validator is executed, the Expression Language engine will interpolate the message, potentially leading to arbitrary code execution. This can be done by injecting valid EL expressions through the user input, which will be executed by the EL engine when the message is processed.

Remediation

Users can upgrade to Hibernate Validator versions 6.2.0 or 7.0.0 to address this vulnerability. Instructions for updating Hibernate Validator in a Dropwizard application are available in the Dropwizard release notes.