Description
c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0, c3p0 in combination with other libraries, can compose to a "sink" for deserialization gadgets. The JDBC spec's DataSource.getConnection() and ConnectionPoolDataSource.getPooledConnection() match the getXXX() form, so JavaBean libraries treat them as "properties" assumed safe while they actually call into JDBC drivers. Attackers can thus craft malicious DataSource objects whose property lookups invoke vulnerable drivers, then smuggle them in serialized form to where an application deserializes and auto-resolves bean properties — triggering the attack. This requires a susceptible DataSource/ConnectionPoolDataSource and JDBC driver on the CLASSPATH, plus a carrier that auto-looks-up JavaBean properties on = deserialization, most commonly a collection paired with an Apache commons-beanutils Comparator that sorts by bean properties. c3p0 supplied that susceptible DataSource/ConnectionPoolDataSource, which was an essential component of the trigger. This issue has been fixed in version 0.14.0.
Published: 2026-06-30
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

c3p0, a JDBC Connection pooling library, contained a flaw before version 0.14.0 in which JavaBean library handling of DataSource and ConnectionPoolDataSource properties treated seemingly innocuous properties as safe. Attackers can craft a malicious DataSource whose property resolution triggers vulnerable JDBC driver code when an application deserializes the object and automatically resolves bean properties. This mechanism enables arbitrary code execution, compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

The vulnerability exists in the swaldman:c3p0 library for all releases older than 0.14.0. Any application that includes c3p0 and relies on standard Java serialization of objects that contain DataSource or ConnectionPoolDataSource types is potentially affected. The attacker must also have a vulnerable JDBC driver on the classpath and a deserialization framework that auto‑looks up JavaBean properties, such as Apache Commons BeanUtils used in a Comparator that sorts by bean properties.

Risk and Exploitability

This weakness carries a CVSS score of 6.3, indicating moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an application that deserializes data and automatically resolves JavaBean properties, a compatible JDBC driver on the classpath, and the presence of c3p0 as a data source provider. Typical attack paths involve delivering a crafted serialized payload to an application that uses Apache Commons BeanUtils or similar libraries, which then triggers the vulnerable driver through the deserialization sink.

Generated by OpenCVE AI on July 1, 2026 at 06:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade c3p0 to version 0.14.0 or later
  • Remove or disable automatic JavaBean property resolution in any serialization framework that processes objects with DataSource or ConnectionPoolDataSource properties
  • Restrict the classpath to exclude vulnerable JDBC drivers or that are not required by the application

Generated by OpenCVE AI on July 1, 2026 at 06:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0, c3p0 in combination with other libraries, can compose to a "sink" for deserialization gadgets. The JDBC spec's DataSource.getConnection() and ConnectionPoolDataSource.getPooledConnection() match the getXXX() form, so JavaBean libraries treat them as "properties" assumed safe while they actually call into JDBC drivers. Attackers can thus craft malicious DataSource objects whose property lookups invoke vulnerable drivers, then smuggle them in serialized form to where an application deserializes and auto-resolves bean properties — triggering the attack. This requires a susceptible DataSource/ConnectionPoolDataSource and JDBC driver on the CLASSPATH, plus a carrier that auto-looks-up JavaBean properties on = deserialization, most commonly a collection paired with an Apache commons-beanutils Comparator that sorts by bean properties. c3p0 supplied that susceptible DataSource/ConnectionPoolDataSource, which was an essential component of the trigger. This issue has been fixed in version 0.14.0.
Title c3p0 exposes a deserialization "sink" via JDBC DataSource bean properties
Weaknesses CWE-502
CWE-915
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T22:56:55.895Z

Reserved: 2026-06-16T16:16:32.628Z

Link: CVE-2026-55223

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T05:00:07Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data

  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes