CVE-2026-27727: mchange-commons-java: Remote Code Execution via JNDI Reference Resolution
(updated )
mchange-commons-java includes code that mirrors early implementations of JNDI functionality, including support for remote factoryClassLocation values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted jaxax.naming.Reference or serialized object, they can provoke the download and execution of malicious code.
Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to false, com.sun.jndi.ldap.object.trustURLCodebase. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that implementation could be provoked to download and execute malicious code even after the JDK was hardened.
References
- github.com/advisories/GHSA-m2cm-222f-qw44
- github.com/swaldman/mchange-commons-java
- github.com/swaldman/mchange-commons-java/security/advisories/GHSA-m2cm-222f-qw44
- mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal
- nvd.nist.gov/vuln/detail/CVE-2026-27727
- www.mchange.com/projects/c3p0/
- www.mchange.com/projects/c3p0/
Code Behaviors & Features
Detect and mitigate CVE-2026-27727 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →