Skip to content

[GHSA-m8p2-495h-ccmh] The SafeHtml annotation in Hibernate-Validator does not properly guard against XSS attacks #5791

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: poc-effectiveness/advisory-improvement-5791
Choose a base branch
from
Open

[GHSA-m8p2-495h-ccmh] The SafeHtml annotation in Hibernate-Validator does not properly guard against XSS attacks #5791

wants to merge 1 commit into from

Conversation

poc-effectiveness
Copy link

@poc-effectiveness poc-effectiveness commented Jul 5, 2025
edited
Loading

Updates

  • Affected products

Comments
Based on our analysis of commits and testing, we have confirmed that this vulnerability is present in the following versions which are not reported in GitHub Advisory Database:
6.0.0.Alpha1 through 6.0.17.Final

We reached out to the corresponding CNA by email regarding this issue, but no reply has been received so far.

[Reasons]
The issue was fixed in version 6.0.18.Final, as indicated by the following commit:
hibernate/hibernate-validator@20d7295

We examine all available versions of org.hibernate.validator:hibernate-validator listed on Maven Repository to ensure no affected versions are overlooked.
https://mvnrepository.com/artifact/org.hibernate.validator/hibernate-validator

We have developed and tested PoCs that reliably reproduce the vulnerability in all the affected versions listed above.
For 6.0.0.Alpha1 to 6.0.4.Final, the pocs are: https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-10219
For other versions, the pocs are: https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Origin/CVE-2019-10219/exploit

Please let us know if any additional information or evidence is required.

@github-actions github-actions bot changed the base branch from main to poc-effectiveness/advisory-improvement-5791 July 5, 2025 03:20
@poc-effectiveness
Copy link
Author

We have already confirmed with Red Hat regarding the affected versions of hibernate-validator, and the corresponding changes have been made as documented in the CVE record: https://www.cve.org/CVERecord?id=CVE-2019-10219.

Please let us know if there are any further updates or actions required.

@poc-effectiveness
Copy link
Author

Hi,

We’ve confirmed the issue with the corresponding CNA. It would mean a lot to us if this could be confirmed, as it would be a great encouragement for our ongoing research. Please let us know if there’s anything else needed.

WeChatf064758569e62fd9084bc5b3e6bf2822

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@poc-effectiveness
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy