Skip to main content

mchange-commons-java CVE-2026-55153

| EUVDEUVD-2026-41135 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-07-01 GitHub_M
7.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable when an app deserializes untrusted input (AV:N, PR:N), but requires a viable gadget class and an app path feeding attacker data (AC:H); full impact via JNDI injection.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 22:02 EUVD
Analysis Generated
Jul 01, 2026 - 20:51 vuln.today

DescriptionCVE.org

mchange-commons-java is a Java library of shared utility classes used by mchange projects like the c3p0 connection pool. Prior to version 0.6.0, its JNDI ObjectFactory implementation (com.mchange.v2.naming.JavaBeanObjectFactory) will construct objects of arbitrary classes and initialize "JavaBean"-style properties, which for certain classes enables JNDI injection and "deserialization gadgets." Such initialization is unsafe for some classes: for example, setting the contentType property of a Swing JEditorPane to text/html and its text property to HTML containing a stylesheet <link> will provoke an HTTP GET on an arbitrary URL, potentially from within a trusted security domain. The problem is aggravated by the library's ReferenceIndirector, through which malicious JNDI Reference objects can be smuggled in for dereferencing wherever an application reads a Java-serialized object. This has been resolved in version 0.6.0.

AnalysisAI

Insecure JNDI object instantiation in mchange-commons-java before 0.6.0 lets attackers who can influence deserialized data or JNDI Reference resolution coerce the library's JavaBeanObjectFactory into constructing arbitrary classes and setting their JavaBean properties, enabling JNDI injection and deserialization-gadget attacks. Because this library underpins mchange projects such as the c3p0 connection pool, any Java application that deserializes attacker-controlled objects or dereferences untrusted JNDI References through it is exposed; a demonstrated path abuses a Swing JEditorPane to force outbound HTTP requests from a trusted security domain. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach app endpoint that deserializes input
Delivery
Deliver crafted serialized object or JNDI Reference
Exploit
JavaBeanObjectFactory instantiates chosen gadget class
Execution
Setters populate JEditorPane text/contentType
Persist
Outbound HTTP GET or JNDI injection fires
Impact
SSRF from trusted domain or remote code loading

Vulnerability AssessmentAI

Exploitation Exploitation requires the target application to (1) include mchange-commons-java prior to 0.6.0 on its classpath (typically transitively via c3p0), and (2) deserialize attacker-influenced Java objects or resolve an attacker-controlled JNDI Reference through com.mchange.v2.naming.JavaBeanObjectFactory / ReferenceIndirector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 3.1 vector (CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, base 7.1) signals high complexity, a required privilege level, adjacent access, and full C/I/A impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a crafted Java-serialized object (or a JNDI Reference smuggled through ReferenceIndirector) to an application endpoint that deserializes untrusted input while mchange-commons-java is on the classpath. The JavaBeanObjectFactory instantiates a chosen class such as JEditorPane and sets its contentType/text properties, forcing the victim server to issue an outbound HTTP GET from within its trusted network - or, with a different gadget class, achieves JNDI injection toward attacker-controlled code. …
Remediation Vendor-released patch: 0.6.0 - upgrade mchange-commons-java to 0.6.0 or later, including bumping transitive copies pulled in through c3p0 or other mchange projects (audit your dependency tree with 'mvn dependency:tree' or 'gradle dependencies' since it is frequently transitive). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Scan all Java application repositories and container images to identify use of mchange-commons-java and c3p0 libraries, documenting current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-55153 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy