mchange-commons-java
CVE-2026-27727
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable but requires provoking the app to resolve attacker-controlled references plus elevated data/config control (AC:H, PR:H); remote class loading yields full RCE with scope change (S:C, C/I/A:H).
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
11Blast Radius
ecosystem impact- 118 maven packages depend on com.mchange:mchange-commons-java (8 direct, 110 indirect)
Ecosystem-wide dependent count for version 0.4.0.
DescriptionCVE.org
mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote factoryClassLocation values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted jaxax.naming.Reference or serialized object, they can provoke the download and execution of malicious code. Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to false, com.sun.jndi.ldap.object.trustURLCodebase. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that implementation could be provoked to download and execute malicious code even after the JDK was hardened. Mirroring the JDK patch, mchange-commons-java's JNDI functionality is gated by configuration parameters that default to restrictive values starting in version 0.4.0. No known workarounds are available. Versions prior to 0.4.0 should be avoided on application CLASSPATHs.
AnalysisAI
Remote code execution in mchange-commons-java prior to 0.4.0 allows an attacker to download and run arbitrary Java code by forcing an application to dereference a malicious javax.naming.Reference or serialized object that specifies a remote factoryClassLocation. The library ships its own legacy JNDI dereferencing implementation, so applications using it (notably the c3p0 connection pool) remain exploitable even on JDKs hardened with com.sun.jndi.ldap.object.trustURLCodebase=false. Publicly available exploit code exists (Mogwai Labs c3p0 research), though EPSS is low (0.10%, 27th percentile) and the issue is not listed in CISA KEV.
Technical ContextAI
The vulnerability lives in mchange-commons-java, a general-purpose Java utility library widely pulled in transitively by c3p0 (a JDBC connection pool). It reproduces the classic JNDI injection pattern (CWE-74, Injection) in which a Naming Reference can carry a remote codebase URL via factoryClassLocation; when the reference is resolved, the named ObjectFactory class is fetched from that URL and instantiated, leading to code execution. Oracle mitigated this in the JDK by gating remote codebase loading behind the com.sun.jndi.ldap.object.trustURLCodebase System property (default false), but because mchange-commons-java carries an independent dereferencing implementation, that JDK hardening does not apply. The affected component is cpe:2.3:a:mchange:mchange_commons_java for all versions before 0.4.0, which now gates this functionality behind configuration parameters that default to restrictive values.
RemediationAI
Vendor-released patch: upgrade mchange-commons-java to version 0.4.0 or later, which gates the JNDI dereferencing functionality behind configuration parameters that default to restrictive values; bump any transitive dependency (for example via c3p0) so that versions prior to 0.4.0 are not present on application CLASSPATHs. Apply the corresponding distribution updates where relevant: Red Hat RHSA-2026:3890 / RHSA-2026:4285 (and related errata) and SUSE SUSE-SU-2026:0855 / SUSE-SU-2026:1035, per https://access.redhat.com/errata/RHSA-2026:3890 and https://www.suse.com/support/update/SUSE-SU-2026:0855/. The upstream advisory GHSA-m2cm-222f-qw44 states no known workarounds are available, so upgrading is the only reliable fix; as compensating controls until patched, ensure no attacker-controllable input reaches JNDI lookups or Java deserialization paths (do not let untrusted parties influence c3p0 JNDI/JDBC configuration or supply serialized objects), and apply network egress filtering to block outbound LDAP/RMI/HTTP from application servers to untrusted hosts so a remote factoryClassLocation cannot be fetched - noting that egress restrictions can break legitimate outbound integrations and must be scoped carefully.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| Container suse/manager/4.3/proxy-httpd:4.3.17.9.76.1 | Affected |
| Container suse/manager/5.0/x86_64/server-attestation:latest Container suse/manager/5.0/x86_64/server:latest Image server-attestation-image Image server-image | Affected |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Retail Branch Server LTS 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Tumbleweed | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Manager Proxy 4.3 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Retail Branch Server 4.3 | Fixed |
| SUSE Manager Retail Branch Server LTS 4.3 | Fixed |
| SUSE Manager Server 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| SUSE Manager Server Module 4.3 | Fixed |
| SUSE Manager Server Module 4.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| SUSE Manager Proxy 4.3 LTS | Fixed |
| SUSE Manager Retail Branch Server 4.3 LTS | Fixed |
| SUSE Manager Server 4.3 LTS | Fixed |
| SUSE Manager Server 4.3 LTS | Fixed |
| suse/manager/5.0/x86_64/server suse/manager/5.0/x86_64/server-attestation suse/multi-linux-manager/5.1/x86_64/server suse/multi-linux-manager/5.1/x86_64/server-attestation suse/multi-linux-manager/5.2/x86_64/server suse/multi-linux-manager/5.2/x86_64/server-attestation | Fixed |
| suse/manager/5.0/x86_64/server suse/manager/5.0/x86_64/server-attestation suse/multi-linux-manager/5.2/x86_64/server suse/multi-linux-manager/5.2/x86_64/server-attestation | Fixed |
| suse/multi-linux-manager/5.1/x86_64/server suse/multi-linux-manager/5.1/x86_64/server-attestation | Fixed |
| suse/manager/4.3/proxy-httpd | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-m2cm-222f-qw44