CVE-2026-27727

mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code. Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to `false`, `com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that implementation could be provoked to download and execute malicious code even after the JDK was hardened. Mirroring the JDK patch, mchange-commons-java's JNDI functionality is gated by configuration parameters that default to restrictive values starting in version 0.4.0. No known workarounds are available. Versions prior to 0.4.0 should be avoided on application CLASSPATHs.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/swaldman/mchange-commons-java/security/advisories/GHSA-m2cm-222f-qw44	Patch Vendor Advisory
https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal	Exploit Third Party Advisory
https://www.mchange.com/projects/c3p0/#configuring_security	Issue Tracking
https://www.mchange.com/projects/c3p0/#security-note	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:mchange:mchange_commons_java:*:*:*:*:*:*:*:*

History

11 Mar 2026, 23:30

Type	Values Removed	Values Added
References	~~() https://github.com/swaldman/mchange-commons-java/security/advisories/GHSA-m2cm-222f-qw44 -~~	() https://github.com/swaldman/mchange-commons-java/security/advisories/GHSA-m2cm-222f-qw44 - Patch, Vendor Advisory
References	~~() https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal -~~	() https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal - Exploit, Third Party Advisory
References	~~() https://www.mchange.com/projects/c3p0/#configuring_security -~~	() https://www.mchange.com/projects/c3p0/#configuring_security - Issue Tracking
References	~~() https://www.mchange.com/projects/c3p0/#security-note -~~	() https://www.mchange.com/projects/c3p0/#security-note - Release Notes
CPE		cpe:2.3:a:mchange:mchange_commons_java::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
Summary		(es) mchange-commons-java, una librería que proporciona utilidades de Java, incluye código que emula implementaciones tempranas de la funcionalidad JNDI, incluyendo soporte para valores remotos de `factoryClassLocation`, mediante los cuales se puede descargar e invocar código dentro de una aplicación en ejecución. Si un atacante puede provocar que una aplicación lea un `jaxax.naming.Reference` o un objeto serializado maliciosamente diseñado, pueden provocar la descarga y ejecución de código malicioso. Las implementaciones de esta funcionalidad dentro del JDK fueron deshabilitadas por defecto detrás de una propiedad de sistema que por defecto es `false`, `com.sun.jndi.ldap.object.trustURLCodebase`. Sin embargo, dado que mchange-commons-java incluye una implementación independiente de la desreferenciación JNDI, las librerías (como c3p0) que resuelven referencias a través de esa implementación podrían ser provocadas para descargar y ejecutar código malicioso incluso después de que el JDK fuera reforzado. Emulando el parche del JDK, la funcionalidad JNDI de mchange-commons-java está restringida por parámetros de configuración que por defecto tienen valores restrictivos a partir de la versión 0.4.0. No se conocen soluciones alternativas disponibles. Las versiones anteriores a la 0.4.0 deben evitarse en los CLASSPATH de las aplicaciones.
First Time		Mchange mchange Commons Java Mchange

25 Feb 2026, 17:25

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-25 17:25

Updated : 2026-03-11 23:30

NVD link : CVE-2026-27727

Mitre link : CVE-2026-27727

CVE.ORG link : CVE-2026-27727

JSON object : View

Products Affected

mchange

mchange_commons_java

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

9.8 /10