Skip to main content

c3p0 CVE-2026-55223

MEDIUM
Deserialization of Untrusted Data (CWE-502)
2026-06-30 security-advisories@github.com
6.3
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.0 CRITICAL

AC:H reflects multiple required classpath and deployment prerequisites; S:C because JDBC driver invocation extends side effects beyond c3p0's own security scope; C/I/A:H reflect RCE potential when a vulnerable driver is present.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 30, 2026 - 23:42 vuln.today
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 6.3

DescriptionCVE.org

c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0, c3p0 in combination with other libraries, can compose to a "sink" for deserialization gadgets. The JDBC spec's DataSource.getConnection() and ConnectionPoolDataSource.getPooledConnection() match the getXXX() form, so JavaBean libraries treat them as "properties" assumed safe while they actually call into JDBC drivers. Attackers can thus craft malicious DataSource objects whose property lookups invoke vulnerable drivers, then smuggle them in serialized form to where an application deserializes and auto-resolves bean properties - triggering the attack. This requires a susceptible DataSource/ConnectionPoolDataSource and JDBC driver on the CLASSPATH, plus a carrier that auto-looks-up JavaBean properties on = deserialization, most commonly a collection paired with an Apache commons-beanutils Comparator that sorts by bean properties. c3p0 supplied that susceptible DataSource/ConnectionPoolDataSource, which was an essential component of the trigger. This issue has been fixed in version 0.14.0.

AnalysisAI

Remote code execution risk in c3p0 versions prior to 0.14.0 arises from the library serving as an essential 'sink' in Java deserialization gadget chains. c3p0's DataSource and ConnectionPoolDataSource objects conform to JavaBean's getXXX() naming convention, causing commons-beanutils and similar libraries to invoke JDBC connection methods as though they were safe property accessors during deserialization - triggering arbitrary JDBC driver execution under attacker control. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Java deserialization endpoint in target application
Delivery
Craft serialized payload embedding commons-beanutils BeanComparator over c3p0 DataSource
Exploit
Deliver payload to deserialization endpoint
Install
Deserialization auto-invokes DataSource.getConnection() as bean property
C2
c3p0 delegates call to vulnerable JDBC driver on classpath
Execute
JDBC driver executes attacker-controlled logic
Impact
Achieve remote code execution in JVM process

Vulnerability AssessmentAI

Exploitation Exploitation requires three simultaneous conditions: (1) The target application must expose an endpoint that deserializes attacker-controlled Java serialized objects - without this, c3p0's presence on the classpath is irrelevant. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L) scores this at 6.3 (Medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a Java application that accepts serialized Java objects over the network (e.g., a REST or RMI endpoint, a message queue consumer, or a custom protocol handler) crafts a deserialization payload embedding a commons-beanutils BeanComparator configured to sort c3p0 DataSource objects by a property that maps to getConnection(). Upon deserialization, the comparator auto-invokes getConnection() on the attacker-supplied DataSource, which delegates to a vulnerable JDBC driver on the classpath - such as one historically associated with JNDI injection or class-loading gadgets - resulting in arbitrary code execution in the JVM process. …
Remediation The primary fix is to upgrade c3p0 to version 0.14.0 or later, which removes the susceptible DataSource and ConnectionPoolDataSource as gadget sinks. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55223 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy