CVE-2019-10173
Description
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XStream 1.4.10 introduced a regression of a previous deserialization flaw, allowing remote code execution if security framework is uninitialized.
Vulnerability
Description
CVE-2019-10173 is a critical remote code execution vulnerability in the XStream API, introduced as a regression of CVE-2013-7285 in version 1.4.10. The flaw lies in the deserialization mechanism: if the security framework has not been initialized, an attacker can trigger arbitrary shell command execution by unmarshalling maliciously crafted XML or JSON input [1][2].
Exploitation and
Attack Surface
An attacker exploits this vulnerability by sending a specially crafted serialized object (e.g., XML or JSON) to an application using XStream 1.4.10 without proper security setup. The attack is remote and does not require authentication, as long as the target application accepts unmarshalling of untrusted data. The scenario is similar to the original CVE-2013-7285, but the regression reintroduced the insecure default behavior that was previously fixed [2].
Impact
Successful exploitation allows an unauthenticated remote attacker to execute arbitrary operating system commands on the server running XStream. This can lead to full system compromise, data exfiltration, and further lateral movement within the network [3][4]. Red Hat rated the severity as Important, with advisory updates issued for Red Hat Data Grid and Red Hat Enterprise Linux to address this issue [3][4].
Mitigation
The vulnerability is fixed in XStream version 1.4.11. Users should upgrade immediately and ensure the security framework is correctly initialized. Red Hat released errata RHSA-2019:3892 and RHSA-2020:0727 to address the vulnerability in their affected products. No workaround other than full patching is recommended [1][3][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.thoughtworks.xstream:xstreamMaven | >= 1.4.10, < 1.4.11 | 1.4.11 |
Affected products
4- osv-coords3 versionspkg:apk/chainguard/hadoop-fips-3.3.6pkg:apk/chainguard/hadoop-fips-3.4.2pkg:maven/com.thoughtworks.xstream/xstream
< 3.3.6-r21+ 2 more
- (no CPE)range: < 3.3.6-r21
- (no CPE)range: < 3.4.2-r0
- (no CPE)range: >= 1.4.10, < 1.4.11
- xstream/xstreamv5Range: fixed in 1.4.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- access.redhat.com/errata/RHSA-2019:3892ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4352ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0445ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0727ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-hf23-9pf7-388pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10173ghsaADVISORY
- x-stream.github.io/changes.htmlghsax_refsource_MISCWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.