CVE-2026-27830

Name of the Vulnerable Software and Affected Versions c3p0 versions prior to 0.12.0

Description c3p0, a JDBC Connection pooling library, is susceptible to attack through maliciously crafted Java-serialized objects and javax.naming.Reference instances. Specifically, the userOverridesAsString property in several ConnectionPoolDataSource implementations, which represents a Map<String,Map<String,String>>, was previously maintained as a hex-encoded serialized object. An attacker who can modify this property, either directly or through malicious serialized objects or javax.naming.Reference instances, could potentially execute arbitrary code on the application's CLASSPATH. This risk is amplified by vulnerabilities in c3p0's dependency, mchange-commons-java, which includes JNDI functionality with ungated support for remote factoryClassLocation values. Attackers could leverage this to set userOverridesAsString with objects indirectly serialized via JNDI references, leading to the download and execution of malicious code from a remote factoryClassLocation. The use of Java-serialized-object hex encoding for a writable Java-Bean property exposed across JNDI interfaces is a significant security concern.

Recommendations Upgrade to c3p0 version 0.12.0 or later.