A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host

CVE-2021-21342 is a Server-Side Request Forgery (SSRF) vulnerability in the Java library XStream, affecting all versions up to and including 1.4.15 when used without a security framework whitelist [1]. The root cause lies in how XStream unmarshals XML data: the input stream contains type information that XStream uses to recreate objects. An attacker can manipulate this input stream to inject or replace objects with ones that trigger an SSRF [3][4].

Exploitation does not require authentication, as it relies on processing a crafted XML payload. The advisory provides a proof-of-concept that uses a PriorityQueue with a Comparator chain leading to URLDataSource, which forces the server to make a request to an attacker-controlled URL (e.g., http://localhost:8080/internal/) [4]. No special network position is needed beyond the ability to supply the malicious XML to XStream's fromXML() method.

The impact is SSRF, allowing an attacker to access internal resources or services that are not exposed externally. This can include data from intranet systems, cloud metadata endpoints, or local services, potentially leading to further compromise [2]. XStream's own documentation notes that such attacks can also lead to remote code execution, though the specific CVE focuses on forgery requests [2][4].

Users who have configured XStream's security framework with a whitelist limited to minimal required types are not affected. For those relying on the default blacklist, the fix is to upgrade to XStream 1.4.16 or later [1][4]. No workaround beyond the whitelist recommendation is provided.