CVE-2026-27727

Name of the Vulnerable Software and Affected Versions mchange-commons-java versions prior to 0.4.0

Description mchange-commons-java, a library providing Java utilities, contains code that replicates early JNDI implementations, including support for remote factoryClassLocation values. This allows for the potential download and execution of malicious code if an application processes a specially crafted jaxax.naming.Reference or serialized object. While the JDK has default protections against this behavior via the com.sun.jndi.ldap.object.trustURLCodebase System property, mchange-commons-java's independent JNDI implementation bypasses these protections. This means that libraries like c3p0, which use mchange-commons-java for JNDI resolution, could be exploited even with a hardened JDK. The library's JNDI functionality is now protected by configuration parameters that default to restrictive values, starting with version 0.4.0. The API endpoint is not explicitly mentioned. The vulnerable parameter is factoryClassLocation.

Recommendations Upgrade to mchange-commons-java version 0.4.0 or later. Avoid using versions of mchange-commons-java prior to 0.4.0 on application CLASSPATHs.