Description
c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually represents a `Map<String,Map<String,String>>`. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing `ConnectionPoolDataSource` or via maliciously crafted serialized objects or `javax.naming.Reference` instances could be tailored execute unexpected code on the application's `CLASSPATH`. The danger of this vulnerability was strongly magnified by vulnerabilities in c3p0's main dependency, mchange-commons-java. This library includes code that mirrors early implementations of JNDI functionality, including ungated support for remote `factoryClassLocation` values. Attackers could set c3p0's `userOverridesAsString` hex-encoded serialized objects that include objects "indirectly serialized" via JNDI references. Deserialization of those objects and dereferencing of the embedded `javax.naming.Reference` objects could provoke download and execution of malicious code from a remote `factoryClassLocation`. Although hazard presented by c3p0's vulnerabilites are exarcerbated by vulnerabilities in mchange-commons-java, use of Java-serialized-object hex as the format for a writable Java-Bean property, of objects that may be exposed across JNDI interfaces, represents a serious independent fragility. The `userOverridesAsString` property of c3p0 `ConnectionPoolDataSource` classes has been reimplemented to use a safe CSV-based format, rather than rely upon potentially dangerous Java object deserialization. c3p0-0.12.0+ and above depend upon mchange-commons-java 0.4.0+, which gates support for remote `factoryClassLocation` values by configuration parameters that default to restrictive values. c3p0 additionally enforces the new mchange-commons-java `com.mchange.v2.naming.nameGuardClassName` to prevent injection of unexpected, potentially remote JNDI names. There is no supported workaround for versions of c3p0 prior to 0.12.0.
Published: 2026-02-26
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

c3p0, a popular JDBC connection‑pooling library, uses a property named userOverridesAsString to store a hex‑encoded Java‑serialized object. Deserialization of this property, or of supplied java‑serialized objects or javax.naming.Reference instances, allows an attacker to execute arbitrary code on the application’s classpath. The flaw exploits deserialization of untrusted data (CWE‑502) and indirect code injection via references (CWE‑94). If an attacker can reset the property or supply crafted serialized content, they may trigger download and execution of code from a remote JNDI location, leading to full compromise of confidentiality, integrity, and availability.

Affected Systems

The affected product is c3p0, developed by Swaldman. Versions of c3p0 earlier than 0.12.0 are vulnerable. The fix is included in c3p0 0.12.0 and later, which replaces the hex‑encoded serialized format with a CSV‑based format and tightens support for remote JNDI names.

Risk and Exploitability

The CVSS score of 8.9 marks the vulnerability as high severity, and although the EPSS score is below 1%, the potential impact justifies serious concern. The vulnerability is not yet listed in the CISA KEV catalog. Attack delivery requires the ability to inject a malicious serialized payload or JNDI reference into the userOverridesAsString property, which may be possible in applications that expose this configuration or accept external serialized data. Once exploited, unbounded code execution can occur, making this a critical asset to mitigate.

Generated by OpenCVE AI on April 17, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to c3p0 version 0.12.0 or newer, which replaces the unsafe deserialization mechanism with a CSV format.
  • Ensure mchange-commons-java dependency is at least version 0.4.0, which further restricts remote JNDI factoryClassLocation usage.
  • Verify that any configuration exposing userOverridesAsString is locked down or removed, and audit application code for inadvertent serialization of external data.

Generated by OpenCVE AI on April 17, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5476-xc4j-rqcv c3p0 vulnerable to Remote Code Execution via unsafe deserialization of userOverridesAsString property
History

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 02 May 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.0, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Swaldman
Swaldman c3p0
Vendors & Products Swaldman
Swaldman c3p0

Thu, 26 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually represents a `Map<String,Map<String,String>>`. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing `ConnectionPoolDataSource` or via maliciously crafted serialized objects or `javax.naming.Reference` instances could be tailored execute unexpected code on the application's `CLASSPATH`. The danger of this vulnerability was strongly magnified by vulnerabilities in c3p0's main dependency, mchange-commons-java. This library includes code that mirrors early implementations of JNDI functionality, including ungated support for remote `factoryClassLocation` values. Attackers could set c3p0's `userOverridesAsString` hex-encoded serialized objects that include objects "indirectly serialized" via JNDI references. Deserialization of those objects and dereferencing of the embedded `javax.naming.Reference` objects could provoke download and execution of malicious code from a remote `factoryClassLocation`. Although hazard presented by c3p0's vulnerabilites are exarcerbated by vulnerabilities in mchange-commons-java, use of Java-serialized-object hex as the format for a writable Java-Bean property, of objects that may be exposed across JNDI interfaces, represents a serious independent fragility. The `userOverridesAsString` property of c3p0 `ConnectionPoolDataSource` classes has been reimplemented to use a safe CSV-based format, rather than rely upon potentially dangerous Java object deserialization. c3p0-0.12.0+ and above depend upon mchange-commons-java 0.4.0+, which gates support for remote `factoryClassLocation` values by configuration parameters that default to restrictive values. c3p0 additionally enforces the new mchange-commons-java `com.mchange.v2.naming.nameGuardClassName` to prevent injection of unexpected, potentially remote JNDI names. There is no supported workaround for versions of c3p0 prior to 0.12.0.
Title c3p0 vulnerable to Remote Code Execution via unsafe deserialization of userOverridesAsString property
Weaknesses CWE-502
CWE-94
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Swaldman C3p0
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T19:40:49.642Z

Reserved: 2026-02-24T02:32:39.800Z

Link: CVE-2026-27830

cve-icon Vulnrichment

Updated: 2026-02-27T16:25:47.891Z

cve-icon NVD

Status : Deferred

Published: 2026-02-26T01:16:24.583

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27830

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-26T00:45:18Z

Links: CVE-2026-27830 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses