Will It Vibe logoWill It Vibe?
JAVA-003Medium severity-8 points

JPA/Hibernate query built with string concatenation

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

EntityManager/Session createQuery or createNativeQuery is given a JPQL/SQL string built with + instead of a named or positional bind parameter, which is HQL/JPQL injection when the concatenated value is user-controlled.

Why it matters

Building a JPQL or native SQL string with + concatenation inside createQuery/createNativeQuery means anything concatenated in becomes part of the query text. If that value is ever user-controlled, an attacker-supplied value can change the query's logic entirely (classic injection), not just its data.

How to fix it

Use a named or positional bind parameter instead: write the query with :name or ?1 in the string, then call setParameter to supply the value. JPA sends the value separately from the query text, so it can never be interpreted as query syntax.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks