mchange-commons-java: Remote Code Execution via JNDI Reference Resolution

CVE-2026-27727 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Impact

mchange-commons-java includes code that mirrors early implementations of JNDI functionality, including support for remote factoryClassLocation values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted jaxax.naming.Reference or serialized object, they can provoke the download and execution of malicious code.

Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to false, com.sun.jndi.ldap.object.trustURLCodebase. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that implementation could be provoked to download and execute malicious code even after the JDK was hardened.

Patches

Mirroring the JDK patch, mchange-commons-java's JNDI functionality is now gated by configuration parameters that default to restrictive values. Those parameters are documented here.

Workarounds

No. Users should upgrade to mchange-commons-java >= 0.4.0. Earlier versions should be avoided on application CLASSPATHs.

References

c3p0, you little rascal — Hans-Martin Münch
c3p0 documentation, security note
c3p0 documentation, configuring security

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-02-25 18:20:05 UTC
Updated
2026-02-27 20:55:42 UTC
GitHub reviewed
2026-02-25 18:20:05 UTC
NVD published
2026-02-25 17:25:39 UTC

EPSS Score

Score Percentile
0.14% 34.82%

CVSS Scores

Base score Version Severity Vector
8.9 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:P)
Additional preconditions must be present for exploitation.
Privileges required (PR:H)
High privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:H)
High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:H)
High integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:H)
High availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:H)
High confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:H)
High integrity impact on subsequent systems.
Subsequent system availability impact (SA:H)
High availability impact on subsequent systems.

Identifiers

Type Value
GHSA GHSA-m2cm-222f-qw44 ↗
CVE CVE-2026-27727 ↗

CWEs

CWE id Name
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-502 Deserialization of Untrusted Data

Credits

  • dpp (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
maven com.mchange:mchange-commons-java < 0.4.0 0.4.0

References

cvelogic Threat Intelligence