SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-564 Hibernate SQL Injection

Coverage: 5 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 5 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged ORM/query-builder usage where untrusted input is concatenated into a query string (HQL/JPQL/criteria-like strings). ORMs don't automatically prevent injection if you build query strings manually.

Why it matters

Injection is still possible when using ORM query strings unsafely.

Safer examples

1) Use parameter binding (don't concatenate)

Always bind parameters instead of stitching user input into query strings.

2) Allowlist sort/filter fields

If you let users choose sort/field names, map choices to known column names rather than trusting raw input (see API01).

3) Use least-privilege DB accounts

Even with safe queries, restrict DB permissions to minimize blast radius.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.