XStream is vulnerable to a Remote Command Execution attack
Description
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XStream before 1.4.16 allows remote command execution via manipulated input stream when security framework is not whitelisted.
Vulnerability
XStream is a Java library for serializing objects to XML. In versions prior to 1.4.16, the unmarshalling process uses type information from the input stream to recreate objects. An attacker can inject malicious type information, leading to the creation of objects that execute arbitrary commands on the host. [1][4]
Exploitation
The attack requires only the ability to supply a specially crafted XML (or JSON) input stream to XStream. The attacker does not need authentication if the application processes untrusted data. The manipulated stream can include objects like PriorityQueue with custom comparator chains that trigger command execution. [4]
Impact
Successful exploitation allows a remote attacker to execute arbitrary shell commands in the context of the server running XStream. This can lead to full system compromise, data exfiltration, or further lateral movement within the network. [3]
Mitigation
Users who have configured XStream's security framework with a whitelist of minimal required types are not affected. Those relying on the default blacklist must upgrade to XStream 1.4.16 or later. [2][1]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.thoughtworks.xstream:xstreamMaven | < 1.4.16 | 1.4.16 |
Affected products
10- osv-coords9 versionspkg:bitnami/activemqpkg:maven/com.thoughtworks.xstream/xstreampkg:rpm/opensuse/xstream&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/xstream&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/xstream&distro=openSUSE%20Tumbleweedpkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.2
< 5.15.14+ 8 more
- (no CPE)range: < 5.15.14
- (no CPE)range: < 1.4.16
- (no CPE)range: < 1.4.16-lp152.2.6.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.18-1.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.16-3.8.1
- x-stream/xstreamv5Range: < 1.4.16
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
24- github.com/advisories/GHSA-hwpc-8xqv-jvj4ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-21345ghsaADVISORY
- www.debian.org/security/2021/dsa-5004ghsavendor-advisoryx_refsource_DEBIANWEB
- x-stream.github.io/changes.htmlghsax_refsource_MISCWEB
- github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4ghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2021/04/msg00002.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREBghsaWEB
- security.netapp.com/advisory/ntap-20210430-0002ghsaWEB
- security.netapp.com/advisory/ntap-20210430-0002/mitrex_refsource_CONFIRM
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
- x-stream.github.io/CVE-2021-21345.htmlghsax_refsource_MISCWEB
- x-stream.github.io/security.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.