Dom4j raise up a CVE

Hello everybody,

the transitive dependency dom4j 1.6.1 has a CVE, which is used by hibernate core (see
I noticed that the version is very old (year 2006). Why is not the latest org.dom4j 2.x.x used?
The newest version 2.1.1 has this CVE too, but i hope in the next version it will be fixed.

Thanks and cheers


EDIT: The dom4j 2.1.1 fixed this issue

Thanks for the heads up. Please create a Jira issue for this. Thanks.



Thanks for the issue and Pull Request.

I cannot comment to JIRA tickets, so I’ll try here. Can this be merged back to 5.2, 5.1 and 5.0? I am depending on 5.0 because of … political reasons (my team is not controlling the Spring version used).

Related to merging, you need to talk to @gbadner as she decides what is to be merged on those branches.

1 Like

Thanks for the tip! :pray:

Edit: I’m quite a noob with this Discourse stuff - I thought there were private messages here.

@gbadner Can we see this issue fixed in the previous Hibernate versions too? I am particularly interested in 5.0.x branch, since my team cannot change Spring versions, we have (for the time being) remain on 5.0.x branch.

Try also via HipChat. You can find more details on the Community page. It might be that you get your answer faster on HipChat.

Hello, is any release of 4.x that has this CVE fix? I’m using hibernate 4.2.16.Final and for now cannot upgrade to 5.x but I need this dom4j CVE fix. Thanks.

Hi @lucianoprea!

The last release of the 4.2 series was 4.2.21 and it ships with the same version of Dom4J, 1.6.1. There won’t be any future releases of those legacy versions.

Since the upgrade to Hibernate 5 appears to have only been a build change without any runtime impact, you may be able to get away with doing the same as a part of your own build, override the dependency manually by forcing your build to use 2.1.1 rather than 1.6.1 and see if you hit any regressions locally.

1 Like