XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos)
Description
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XStream before 1.4.16 is vulnerable to a ReDoS attack allowing remote attackers to cause a denial of service via crafted XML input.
Vulnerability
Details
CVE-2021-21348 is a denial of service vulnerability in XStream versions prior to 1.4.16. The root cause is an improper handling of user-supplied regular expressions during the unmarshalling of serialized data. An attacker can provide a crafted XML input that triggers a malicious regular expression evaluation, causing a single thread to consume 100% CPU indefinitely [4].
Exploitation
The attack is remotely exploitable without authentication. An attacker sends a specially crafted XML (or other supported format) to an XStream instance that has not been secured with a whitelist-based security framework. The injected data leads to the execution of a regular expression that enters an endless loop or excessive computation, as described in the advisory [4]. Users who follow the recommendation to set up a whitelist of allowed types are not affected [2].
Impact
Successful exploitation results in a denial of service: the affected thread never returns, blocking processing and potentially causing application unavailability. The vulnerability does not lead to data theft or remote code execution, but can effectively halt server operations.
Mitigation
Users should upgrade to XStream version 1.4.16 or later, which includes a fix [1]. Alternatively, deploying the security framework with a whitelist of minimal required types prevents exploitation [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.thoughtworks.xstream:xstreamMaven | < 1.4.16 | 1.4.16 |
Affected products
7- osv-coords6 versionspkg:bitnami/activemqpkg:maven/com.thoughtworks.xstream/xstreampkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.2
< 5.15.14+ 5 more
- (no CPE)range: < 5.15.14
- (no CPE)range: < 1.4.16
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.16-3.8.1
- x-stream/xstreamv5Range: < 1.4.16
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
23- github.com/advisories/GHSA-56p8-3fh9-4cvqghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-21348ghsaADVISORY
- www.debian.org/security/2021/dsa-5004ghsavendor-advisoryx_refsource_DEBIANWEB
- x-stream.github.io/changes.htmlghsax_refsource_MISCWEB
- github.com/x-stream/xstream/security/advisories/GHSA-56p8-3fh9-4cvqghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2021/04/msg00002.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREBghsaWEB
- security.netapp.com/advisory/ntap-20210430-0002ghsaWEB
- security.netapp.com/advisory/ntap-20210430-0002/mitrex_refsource_CONFIRM
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
- x-stream.github.io/CVE-2021-21348.htmlghsax_refsource_MISCWEB
- x-stream.github.io/security.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.