Deserialization Vulnerability in c3p0 JDBC Connection Pooling Library
CVE-2026-55223
6.3MEDIUM
What is CVE-2026-55223?
The c3p0 JDBC Connection pooling library is susceptible to a deserialization vulnerability when used in conjunction with other libraries. This vulnerability arises from the treatment of DataSource.getConnection() and ConnectionPoolDataSource.getPooledConnection() as properties, which can be exploited by attackers to craft malicious DataSource objects. These objects can invoke vulnerable JDBC drivers during deserialization, leading to potential security breaches. The issue has been resolved in version 0.14.0, and it is crucial for users to upgrade to this version to mitigate the risk.
Affected Version(s)
c3p0 < 0.14.0
