JDBC Connection Pooling Library Vulnerability in c3p0 by MChange
CVE-2026-27830
What is CVE-2026-27830?
The c3p0 library, a popular JDBC Connection pooling solution, is susceptible to a deserialization vulnerability that allows attackers to exploit crafted Java-serialized objects and javax.naming.Reference instances. Specifically, the userOverridesAsString property, which inaccurately handled data as hex-encoded serialized objects, poses a significant risk. Attackers with access to reset this property could execute arbitrary code on the application's classpath. Although issues in the c3p0's core dependency, mchange-commons-java, amplify this threat, the weakness primarily stems from how Java-serialized objects are permitted across JNDI interfaces. The vulnerability has been addressed in versions starting 0.12.0, which now utilize a safer CSV-based property format and restrict configurations for remote class location values.
Affected Version(s)
c3p0 < 0.12.0
