{"id":"CVE-2026-27830","summary":"c3p0 vulnerable to Remote Code Execution via unsafe deserialization of userOverridesAsString property","details":"c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually represents a `Map\u003cString,Map\u003cString,String\u003e\u003e`. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing `ConnectionPoolDataSource` or via maliciously crafted serialized objects or `javax.naming.Reference` instances could be tailored execute unexpected code on the application's `CLASSPATH`. The danger of this vulnerability was strongly magnified by vulnerabilities in c3p0's main dependency, mchange-commons-java. This library includes code that mirrors early implementations of JNDI functionality, including ungated support for remote `factoryClassLocation` values. Attackers could set c3p0's `userOverridesAsString` hex-encoded serialized objects that include objects \"indirectly serialized\" via JNDI references. Deserialization of those objects and dereferencing of the embedded `javax.naming.Reference` objects could provoke download and execution of malicious code from a remote `factoryClassLocation`. Although hazard presented by c3p0's vulnerabilites are exarcerbated by vulnerabilities in mchange-commons-java, use of Java-serialized-object hex as the format for a writable Java-Bean property, of objects that may be exposed across JNDI interfaces, represents a serious independent fragility. The `userOverridesAsString` property of c3p0 `ConnectionPoolDataSource` classes has been reimplemented to use a safe CSV-based format, rather than rely upon potentially dangerous Java object deserialization. c3p0-0.12.0+ and above depend upon mchange-commons-java 0.4.0+, which gates support for remote `factoryClassLocation` values by configuration parameters that default to restrictive values. c3p0 additionally enforces the new mchange-commons-java `com.mchange.v2.naming.nameGuardClassName` to prevent injection of unexpected, potentially remote JNDI names. There is no supported workaround for versions of c3p0 prior to 0.12.0.","aliases":["GHSA-5476-xc4j-rqcv"],"modified":"2026-04-10T05:38:40.397685Z","published":"2026-02-26T00:45:18.222Z","related":["CGA-6vhx-88g4-42r5","SUSE-SU-2026:0855-1","SUSE-SU-2026:1035-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27830.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-502","CWE-94"]},"references":[{"type":"WEB","url":"https://www.mchange.com/projects/c3p0/#configuring_security"},{"type":"WEB","url":"https://www.mchange.com/projects/c3p0/#security-note"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27830.json"},{"type":"ADVISORY","url":"https://github.com/swaldman/c3p0/security/advisories/GHSA-5476-xc4j-rqcv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27830"},{"type":"FIX","url":"https://github.com/swaldman/c3p0/commit/e14cbd8166e423e2e9a9d6f08b2add3433492d6e"},{"type":"ARTICLE","url":"https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/swaldman/c3p0","events":[{"introduced":"0"},{"fixed":"afbb946ea70ee2312c1c5fc53dd60dd218f87ef9"}]}],"versions":["c3p0-0.9.2","c3p0-0.9.2-pre2-RELEASE","c3p0-0.9.2-pre3","c3p0-0.9.2-pre4","c3p0-0.9.2-pre6","c3p0-0.9.2-pre7","c3p0-0.9.2-pre8","c3p0-0.9.5","c3p0-0.9.5-pre1","c3p0-0.9.5-pre10","c3p0-0.9.5-pre2","c3p0-0.9.5-pre3","c3p0-0.9.5-pre4","c3p0-0.9.5-pre5","c3p0-0.9.5-pre6","c3p0-0.9.5-pre7","c3p0-0.9.5-pre8","c3p0-0.9.5-pre9","c3p0-0.9.5.1","c3p0-0.9.5.2","c3p0-0.9.5.3","c3p0-0.9.5.4","c3p0-0.9.5.5","v.0.10.0","v0.10.0-pre1","v0.10.0-pre2","v0.10.0-pre3","v0.10.0-pre4","v0.10.0-pre5","v0.10.0-pre6","v0.10.0-pre7","v0.10.1","v0.10.2","v0.11.0","v0.11.0-pre1","v0.11.0-pre2","v0.11.1","v0.11.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27830.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}]}