CVE-2026-27830: CWE-502: Deserialization of Untrusted Data in swaldman c3p0
c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually represents a `Map<String,Map<String,String>>`. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing `ConnectionPoolDataSource` or via maliciously crafted serialized objects or `javax.naming.Reference` instances could be tailored execute unexpected code on the application's `CLASSPATH`. The danger of this vulnerability was strongly magnified by vulnerabilities in c3p0's main dependency, mchange-commons-java. This library includes code that mirrors early implementations of JNDI functionality, including ungated support for remote `factoryClassLocation` values. Attackers could set c3p0's `userOverridesAsString` hex-encoded serialized objects that include objects "indirectly serialized" via JNDI references. Deserialization of those objects and dereferencing of the embedded `javax.naming.Reference` objects could provoke download and execution of malicious code from a remote `factoryClassLocation`. Although hazard presented by c3p0's vulnerabilites are exarcerbated by vulnerabilities in mchange-commons-java, use of Java-serialized-object hex as the format for a writable Java-Bean property, of objects that may be exposed across JNDI interfaces, represents a serious independent fragility. The `userOverridesAsString` property of c3p0 `ConnectionPoolDataSource` classes has been reimplemented to use a safe CSV-based format, rather than rely upon potentially dangerous Java object deserialization. c3p0-0.12.0+ and above depend upon mchange-commons-java 0.4.0+, which gates support for remote `factoryClassLocation` values by configuration parameters that default to restrictive values. c3p0 additionally enforces the new mchange-commons-java `com.mchange.v2.naming.nameGuardClassName` to prevent injection of unexpected, potentially remote JNDI names. There is no supported workaround for versions of c3p0 prior to 0.12.0.
AI Analysis
Technical Summary
The c3p0 library prior to version 0.12.0 uses a hex-encoded Java-serialized object format for the userOverridesAsString property in ConnectionPoolDataSource implementations. This property can be manipulated by attackers to inject malicious serialized objects or javax.naming.Reference instances. Due to unsafe deserialization and the presence of vulnerable JNDI-related functionality in the mchange-commons-java dependency, attackers could trigger remote code loading and execution via malicious factoryClassLocation references. The vulnerability is addressed in c3p0 0.12.0+ by switching to a CSV-based format for userOverridesAsString and by upgrading mchange-commons-java to version 0.4.0+, which enforces restrictive configuration to block remote JNDI references and injection of unexpected names.
Potential Impact
Successful exploitation allows attackers with the ability to reset the userOverridesAsString property to execute arbitrary code on the application's classpath, potentially leading to remote code execution. The vulnerability is exacerbated by unsafe JNDI functionality in the mchange-commons-java dependency, increasing the risk of malicious code download and execution from remote locations. This can compromise the confidentiality, integrity, and availability of affected systems running vulnerable c3p0 versions.
Mitigation Recommendations
Upgrade to c3p0 version 0.12.0 or later, which replaces the vulnerable hex-encoded serialized object format with a safe CSV-based format for the userOverridesAsString property. Additionally, ensure that the mchange-commons-java dependency is version 0.4.0 or higher, which restricts remote factoryClassLocation values and enforces name guarding to prevent injection attacks. There is no supported workaround for versions prior to 0.12.0; upgrading is the only effective remediation.
CVE-2026-27830: CWE-502: Deserialization of Untrusted Data in swaldman c3p0
Description
c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually represents a `Map<String,Map<String,String>>`. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing `ConnectionPoolDataSource` or via maliciously crafted serialized objects or `javax.naming.Reference` instances could be tailored execute unexpected code on the application's `CLASSPATH`. The danger of this vulnerability was strongly magnified by vulnerabilities in c3p0's main dependency, mchange-commons-java. This library includes code that mirrors early implementations of JNDI functionality, including ungated support for remote `factoryClassLocation` values. Attackers could set c3p0's `userOverridesAsString` hex-encoded serialized objects that include objects "indirectly serialized" via JNDI references. Deserialization of those objects and dereferencing of the embedded `javax.naming.Reference` objects could provoke download and execution of malicious code from a remote `factoryClassLocation`. Although hazard presented by c3p0's vulnerabilites are exarcerbated by vulnerabilities in mchange-commons-java, use of Java-serialized-object hex as the format for a writable Java-Bean property, of objects that may be exposed across JNDI interfaces, represents a serious independent fragility. The `userOverridesAsString` property of c3p0 `ConnectionPoolDataSource` classes has been reimplemented to use a safe CSV-based format, rather than rely upon potentially dangerous Java object deserialization. c3p0-0.12.0+ and above depend upon mchange-commons-java 0.4.0+, which gates support for remote `factoryClassLocation` values by configuration parameters that default to restrictive values. c3p0 additionally enforces the new mchange-commons-java `com.mchange.v2.naming.nameGuardClassName` to prevent injection of unexpected, potentially remote JNDI names. There is no supported workaround for versions of c3p0 prior to 0.12.0.
CVSS v4.0
Score 8.9high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The c3p0 library prior to version 0.12.0 uses a hex-encoded Java-serialized object format for the userOverridesAsString property in ConnectionPoolDataSource implementations. This property can be manipulated by attackers to inject malicious serialized objects or javax.naming.Reference instances. Due to unsafe deserialization and the presence of vulnerable JNDI-related functionality in the mchange-commons-java dependency, attackers could trigger remote code loading and execution via malicious factoryClassLocation references. The vulnerability is addressed in c3p0 0.12.0+ by switching to a CSV-based format for userOverridesAsString and by upgrading mchange-commons-java to version 0.4.0+, which enforces restrictive configuration to block remote JNDI references and injection of unexpected names.
Potential Impact
Successful exploitation allows attackers with the ability to reset the userOverridesAsString property to execute arbitrary code on the application's classpath, potentially leading to remote code execution. The vulnerability is exacerbated by unsafe JNDI functionality in the mchange-commons-java dependency, increasing the risk of malicious code download and execution from remote locations. This can compromise the confidentiality, integrity, and availability of affected systems running vulnerable c3p0 versions.
Mitigation Recommendations
Upgrade to c3p0 version 0.12.0 or later, which replaces the vulnerable hex-encoded serialized object format with a safe CSV-based format for the userOverridesAsString property. Additionally, ensure that the mchange-commons-java dependency is version 0.4.0 or higher, which restricts remote factoryClassLocation values and enforces name guarding to prevent injection attacks. There is no supported workaround for versions prior to 0.12.0; upgrading is the only effective remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-24T02:32:39.800Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 699f9a40b7ef31ef0b7260eb
Added to database: 2/26/2026, 12:56:32 AM
Last enriched: 5/10/2026, 2:07:24 AM
Last updated: 5/27/2026, 1:40:35 PM
Views: 92
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.