CVE-ID:        CVE-2025-35036

Discussion: Hibernate Validator Expression Language Insecure Default Constraint Message Interpolation Remote Code Execution. Hibernate Validator contains a flaw related to the Expression Language component being enabled by default for constraint message interpolation. When user-supplied input is interpolated in a contraint violation message a context-dependent attacker can access sensitive information or potentially execute arbitrary Java code.

DevTest 10.8.x

DevTest 10.8.2 and DevTest 10.8.3 are not impacted. According to the CVE-2025-35036 The affected release of Hibernate Validator are those before Hibernator Validator release 6.2.0, or before release 7.0.0. Releases 6.2.0 and later, or 7.0.0 and later, are not affected.

Service Virtualization 10.8.1 and 10.8.3 ships with Hibernate Validator 6.2.3 and 6.2.5, which according to the CVE are not affected.

• CA\DevTest\lib\dradis\hibernate-validator-6.2.5.Final.jar
• CA\DevTest\lib\shared\hibernate-validator-6.2.3.Final.jar
• CA\DevTest\webserver\phoenix\phoenix-10.8.1\WEB-INF\lib\hibernate-validator-6.2.5.Final.jar
• CA\DevTest\webserver\webapps\jasper-server\WEB-INF\lib\hibernate-validator-6.2.5.Final.jar