skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
May 11, 2020

GHSL-2020-020: EL expression input sanitation bypass in Hibernate Validator - CVE-2020-10693

Alvaro Munoz


A bug in Hibernate Validator’s interpolation of constraint error messages enables invalid EL expressions to be evaluated as if they were valid.

This bug enables attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.


Hibernate Validator

Tested Version



Incorrect EL expression tokenization (GHSL-2020-020, CVE-2020-10693)

The ConstraintValidatorContext documentation specifies that developers should be very careful when integrating user input into a custom message template as it will be interpreted by the Expression Language engine, which may allow attackers to run arbitrary Java code.

Several applications attempt to prevent such EL injections by replacing the EL opening delimiter ${ with just { e.g.:

    public String replaceElDelimiter(final String value) {
        if (value != null) {
            return value.replaceAll("\\$+\\{", "{");
        return null;

This is seemingly a secure way to prevent injection attacks since all occurrences of ${ will be replaced with {, and since the regex matches repeating $ it will also fix more intricate injection attempts that send e.g. $${ in an attempt to arrive at the ${ delimiter to achieve EL execution.

However, a bug in the Hibernate message interpolation parser (org.hibernate.validator.internal.engine.messageinterpolation.parser.TokenCollector), allows attackers to bypass this protection with a payload such as FOO $\A{payload}. The reason is the following:


This issue may lead to mitigation bypasses that allow for remote code execution in affected applications.


Coordinated Disclosure Timeline

Supporting Resources


This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).


You can contact the GHSL team at, please include the GHSL-2020-020 in any communication regarding this issue.