CVE-2019-5427

HIGH

c3p0 <0.9.5.4 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-5427. PoCs published by shanika04.

AI-analyzed exploit summary This repository appears to be a partial fix or development snapshot for CVE-2019-5427, an XXE vulnerability in c3p0. The provided files are source code and documentation, but no exploit PoC or offensive techniques are present.

Description

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

Exploits (1)

nomisec STUB

by shanika04 · poc

https://github.com/shanika04/cp30_XXE_partial_fix

View Code ZIP pw:eip

This repository appears to be a partial fix or development snapshot for CVE-2019-5427, an XXE vulnerability in c3p0. The provided files are source code and documentation, but no exploit PoC or offensive techniques are present.

Classification

Stub 90%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: c3p0 (JDBC Connection pooling library)

No auth needed

Prerequisites: Access to a vulnerable c3p0 version

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8

Core References

Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/

Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/