XStream can cause a Denial of Service

Vulnerability

Overview

CVE-2021-21341 is a denial-of-service vulnerability in XStream, a Java library for serializing objects to XML and back. The flaw exists in versions prior to 1.4.16 and stems from the way XStream handles type information during unmarshalling. By injecting a manipulated ByteArrayInputStream (or a derived class) into the input stream, an attacker can cause an endless loop that consumes 100% CPU time, effectively crashing the application [2][4].

Exploitation

The attack is remotely exploitable without authentication. An attacker simply sends a specially crafted XML payload to an application that uses XStream to deserialize user-supplied data. The payload includes a PriorityQueue with a manipulated ByteArrayInputStream that has a negative position value, leading to an infinite loop when processed [4]. No special network position or privileges are required.

Impact

Successful exploitation results in a complete denial of service, as the target system's CPU is fully occupied by the endless loop. The impact depends on CPU type and parallel execution, but in all cases the application becomes unresponsive. This can be used to disrupt services or as part of a larger attack chain [3].

Mitigation

Users are advised to upgrade to XStream version 1.4.16 or later, which fixes the vulnerability. Alternatively, administrators can configure XStream's security framework with a whitelist of allowed types, which prevents the injection of malicious classes. Users relying on the default blacklist are particularly vulnerable and must update immediately [2][4].