Description
mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code. Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to `false`, `com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that implementation could be provoked to download and execute malicious code even after the JDK was hardened. Mirroring the JDK patch, mchange-commons-java's JNDI functionality is gated by configuration parameters that default to restrictive values starting in version 0.4.0. No known workarounds are available. Versions prior to 0.4.0 should be avoided on application CLASSPATHs.
Published: 2026-02-25
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Upgrade
AI Analysis

Impact

mchange-commons-java implements legacy JNDI handling, allowing external factory class locations to be resolved and executed by an application. If an attacker can supply a maliciously crafted Reference or serialized object, the library will download and run arbitrary code in the application's process. The flaw is rooted in unsafe deserialization and uncontrolled network-based codebase loading, represented by CWE-502 and CWE-74. This enables full compromise of the hosting system, granting the attacker any privileges the application runs with.

Affected Systems

The vulnerability affects the mchange-commons-java library provided by swaldman. All releases prior to 0.4.0 are confirmed to execute remote code by default. Starting with 0.4.0 the library includes configuration guards that default to restrictive settings, but the functionality remains present and can be re-enabled by application configuration. Any system that includes mchange-commons-java on its classpath and processes untrusted serialized data or JNDI references is at risk.

Risk and Exploitability

The CVSS score of 8.9 classifies this issue as High severity. The EPSS score of less than 1% indicates that, while still high impact, exploitation in the wild is currently rare or not widely observed. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, reducing the urgency of the risk but not eliminating it. The attack vector is inferred as exploitation of the library’s JNDI reference resolution by supplying crafted references or serialized payloads into the application. Precautions around classpath inclusion and configuration defaults mitigate the risk, but the primary mitigation is to remove or upgrade the affected library.

Generated by OpenCVE AI on April 17, 2026 at 15:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mchange-commons-java to version 0.4.0 or later and ensure its configuration defaults remain restrictive.
  • Explicitly disable external JNDI reference resolution by setting the appropriate configuration property (e.g., disabling dynamic classloading or codebase URLs) in the library’s settings.
  • If an upgrade is not feasible, remove or isolate the library from the application’s classpath to prevent accidental deserialization and JNDI processing.

Generated by OpenCVE AI on April 17, 2026 at 15:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m2cm-222f-qw44 mchange-commons-java: Remote Code Execution via JNDI Reference Resolution
History

Wed, 11 Mar 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Mchange
Mchange mchange Commons Java
CPEs cpe:2.3:a:mchange:mchange_commons_java:*:*:*:*:*:*:*:*
Vendors & Products Mchange
Mchange mchange Commons Java
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Swaldman
Swaldman mchange-commons-java
Vendors & Products Swaldman
Swaldman mchange-commons-java

Thu, 26 Feb 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Wed, 25 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code. Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to `false`, `com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that implementation could be provoked to download and execute malicious code even after the JDK was hardened. Mirroring the JDK patch, mchange-commons-java's JNDI functionality is gated by configuration parameters that default to restrictive values starting in version 0.4.0. No known workarounds are available. Versions prior to 0.4.0 should be avoided on application CLASSPATHs.
Title mchange-commons-java: Remote Code Execution via JNDI Reference Resolution
Weaknesses CWE-74
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Mchange Mchange Commons Java
Swaldman Mchange-commons-java
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T20:15:05.299Z

Reserved: 2026-02-23T18:37:14.789Z

Link: CVE-2026-27727

cve-icon Vulnrichment

Updated: 2026-02-25T20:14:58.860Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T17:25:39.910

Modified: 2026-03-11T23:30:53.927

Link: CVE-2026-27727

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-25T16:01:04Z

Links: CVE-2026-27727 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:15:21Z

Weaknesses