There are some errors in the CPF constraint and ModCheck, first the constraint format pattern treat non digit characters as optional, but the exclusion patterns don't. i.e. 000.000.000-00 is invalid, but 00000000000 is valid.
The exclusion patterns are missing some other known cases, all document number that is composed only by the same digit is a invalid document that passes the Mod11 check, not only those composed by only zeros or nines.
The method mod11 used for CPF is giving false positives, accepts invalid check digits as valid.
As an example the document number 000.000.000-01 is know to be invalid, same occurs with the number 000.000.000-19, other examples would be 378.796.950-01 and 378.796.950-02 and others.
Two different check digits yet both are valid when put against the Mod11 algorithm used here. That happens because the check digit is being used in the checksum, this can create a condition where the digit validates it self.
I've wrote a patch and some tests, to ensure compatibility I didn't change any return type nor the method signature, passing on all previous tests.
I will send a pull request, after cleaning the code.
Having done that I think it would be wise to change that, pass the check digit separated from the verification list or not passing at all, the mod11 method should calculate the mod not validate it.
Excuse my poor English and thanks for the awesome job.
Hibernate 4.3.Final, Hibernate Validator 5.0.1.Final, PostgreSQL 8.3, JBoss EAP 6.1
But affects any environment using the faulty constraints