JNDI Injection and Deserialization Vulnerability in MChange Commons Java Library
CVE-2026-55153
What is CVE-2026-55153?
The MChange Commons Java library, used widely for shared utility classes in Java applications, exposes a serious vulnerability in its JNDI ObjectFactory implementation prior to version 0.6.0. This flaw allows the library to construct objects from arbitrary classes and initialize properties in a manner that can lead to potential JNDI injection and exploitation through deserialization gadgets. For instance, the improper initialization of properties like contentType in a Swing JEditorPane can trigger HTTP GET requests to malicious URLs from trusted domains. This risk is further amplified by the library's ReferenceIndirector, enabling the injection of malicious JNDI Reference objects during the deserialization process. Users are advised to update to version 0.6.0 or later to mitigate these risks.
Affected Version(s)
mchange-commons-java < 0.6.0
