XStream is vulnerable to an Arbitrary Code Execution attack

Vulnerability

Overview

CVE-2021-21344 is an arbitrary code execution vulnerability in the XStream Java library, which is used to serialize objects to XML and back. The flaw exists in all versions prior to 1.4.16 when using the default configuration. XStream processes type information embedded in the input stream to reconstruct objects; an attacker can inject malicious type references to force the library to load and execute arbitrary code from a remote server [1][4].

Exploitation

Context

An attacker can exploit this issue by providing a crafted serialized XML (or other supported formats like JSON) to a vulnerable XStream instance during unmarshalling. The attack does not require authentication if the application accepts untrusted data. The official advisory demonstrates a proof-of-concept using a PriorityQueue with a chain involving sun.awt.datatransfer.DataTransferer$IndexOrderComparator and com.sun.rowset.JdbcRowSetImpl to achieve remote code execution [4]. Users who have configured the security framework with a strict whitelist of allowed types are not affected [2][4].

Impact

Successful exploitation allows a remote attacker to execute arbitrary shell commands or Java code in the context of the server running XStream. This could lead to complete compromise of the application, including data theft, service disruption, or further lateral movement within the network [2][4].

Mitigation

The vulnerability is fixed in XStream version 1.4.16. Users relying on the default blacklist-based security framework must upgrade to this version or later [3]. Alternatively, implementing a whitelist of minimal required types as recommended by the vendor also prevents exploitation [2][4].