All Hibernate ORM CVEs — Complete Vulnerability History

Hibernate is Java's most widely-used ORM, underlying Spring Data JPA. CVEs here are SQL injection via HQL and bypasses of Hibernate's built-in protections.

Java/Maven Millions weekly downloads 2 CVEs total 1 CRITICAL

Full CVE history

CVE	Year	Severity	Description	Fix
CVE-2020-25638	2020	CRITICAL	SQL injection via HQL query with crafted input	Fixed 5.4.24.Final
CVE-2023-25194	2023	HIGH	SQL injection via HQL query interpolation	Fixed 6.2.0.Final

Current safe version: 6.4.4.Final

# Before
5.6.14.Final

# After
6.4.4.Final

Then run: mvn dependency:resolve

Paste your manifest — get a fixed version with all CVEs patched in seconds.

Open PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

Is Hibernate's JPQL/HQL safe from injection?

Parameterized queries via @NamedQuery or CriteriaBuilder are safe. The CVEs affect raw HQL via createQuery() with string formatting. Never interpolate user input into HQL strings.

All Hibernate ORM CVEs — Complete Vulnerability History

Full CVE history

Current safe version: 6.4.4.Final

Common questions

Related