CVE-2026-55223
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-55223, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0, c3p0 in combination with other libraries, can compose to a "sink" for deserialization gadgets. The JDBC spec's DataSource.getConnection() and ConnectionPoolDataSource.getPooledConnection() match the getXXX() form, so JavaBean libraries treat them as "properties" assumed safe while they actually call into JDBC drivers. Attackers can thus craft malicious DataSource objects whose property lookups invoke vulnerable drivers, then smuggle them in serialized form to where an application deserializes and auto-resolves bean properties β€” triggering the attack. This requires a susceptible DataSource/ConnectionPoolDataSource and JDBC driver on the CLASSPATH, plus a carrier that auto-looks-up JavaBean properties on = deserialization, most commonly a collection paired with an Apache commons-beanutils Comparator that sorts by bean properties. c3p0 supplied that susceptible DataSource/ConnectionPoolDataSource, which was an essential component of the trigger. This issue has been fixed in version 0.14.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves the c3p0 JDBC Connection pooling library versions prior to 0.14.0. When used with other libraries, c3p0 can act as a "sink" for deserialization gadgets. Specifically, JavaBean libraries treat methods like DataSource.getConnection() and ConnectionPoolDataSource.getPooledConnection() as safe properties, but these methods actually invoke JDBC drivers. Attackers can craft malicious DataSource objects that exploit this behavior by embedding them in serialized form. When an application deserializes these objects and automatically resolves bean properties, it triggers the attack. This requires a vulnerable DataSource/ConnectionPoolDataSource and JDBC driver on the classpath, along with a component that auto-looks-up JavaBean properties during deserialization, such as a collection sorted by an Apache commons-beanutils Comparator. The vulnerable c3p0 DataSource/ConnectionPoolDataSource was a key part of this exploit. The issue was fixed in c3p0 version 0.14.0.

Impact Analysis

This vulnerability can allow attackers to execute malicious code during the deserialization process by exploiting the way c3p0 and other libraries handle JavaBean property lookups. This can lead to unauthorized actions, potentially compromising the security of the application, exposing sensitive data, or allowing further attacks within the system.

Mitigation Strategies

To mitigate this vulnerability, upgrade the c3p0 library to version 0.14.0 or later, where the issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55223. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart