XStream is vulnerable to an Arbitrary Code Execution attack
Description
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XStream before 1.4.16 allows remote code execution via deserialization of untrusted XML input, enabling arbitrary code loading from a remote host.
CVE-2021-21347 is a deserialization vulnerability in XStream versions prior to 1.4.16. The library reconstructs Java objects based on type information embedded in XML input. An attacker can inject malicious type references into the stream, causing XStream to load and execute arbitrary code from a remote server [2][4].
To exploit this, a remote attacker sends a crafted XML payload to an application that unmarshals XStream data without proper safeguards. No authentication is required if the application processes untrusted input. The vulnerability affects the default blacklist-based security configuration; users who have implemented a whitelist of allowed types are not impacted [3][4].
Successful exploitation grants the attacker arbitrary code execution in the context of the XStream process, potentially leading to full server compromise. The CVSS score is 9.8, reflecting critical severity [3].
Mitigation requires upgrading to XStream 1.4.16 or later. Alternatively, users can configure the security framework with a strict whitelist of permitted classes as recommended by the vendor [2][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.thoughtworks.xstream:xstreamMaven | < 1.4.16 | 1.4.16 |
Affected products
10- osv-coords9 versionspkg:bitnami/activemqpkg:maven/com.thoughtworks.xstream/xstreampkg:rpm/opensuse/xstream&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/xstream&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/xstream&distro=openSUSE%20Tumbleweedpkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.2
< 5.15.14+ 8 more
- (no CPE)range: < 5.15.14
- (no CPE)range: < 1.4.16
- (no CPE)range: < 1.4.16-lp152.2.6.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.18-1.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.16-3.8.1
- x-stream/xstreamv5Range: < 1.4.16
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
23- github.com/advisories/GHSA-qpfq-ph7r-qv6fghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-21347ghsaADVISORY
- www.debian.org/security/2021/dsa-5004ghsavendor-advisoryx_refsource_DEBIANWEB
- x-stream.github.io/changes.htmlghsax_refsource_MISCWEB
- github.com/x-stream/xstream/security/advisories/GHSA-qpfq-ph7r-qv6fghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2021/04/msg00002.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREBghsaWEB
- security.netapp.com/advisory/ntap-20210430-0002ghsaWEB
- security.netapp.com/advisory/ntap-20210430-0002/mitrex_refsource_CONFIRM
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
- x-stream.github.io/CVE-2021-21347.htmlghsax_refsource_MISCWEB
- x-stream.github.io/security.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.