A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host

Vulnerability

Overview

CVE-2021-21349 is a Server-Side Request Forgery (SSRF) vulnerability in XStream, a Java library for serializing objects to XML and back. In versions prior to 1.4.16, an attacker can manipulate the input stream during unmarshalling to inject objects that cause XStream to make requests to arbitrary URLs, including internal resources not publicly accessible [1][4].

Exploitation

Method

The vulnerability exists because XStream processes type information embedded in the XML stream to reconstruct objects. By crafting a malicious XML document (e.g., modifying a serialized PriorityQueue), an attacker can inject objects such as javafx.collections.ObservableList$1 or com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data that ultimately trigger a connection to an attacker-controlled or internal URL [4]. No authentication or special privileges are required; the attack is performed by sending a specially crafted XML (or other supported format) to an application using XStream with its default blacklist-based security framework [2][3].

Impact

Successful exploitation allows a remote attacker to request data from internal systems that are not publicly available, such as services on localhost or within an intranet. This SSRF can be used to access sensitive data, interact with internal APIs, or potentially pivot to further attacks within the internal network [2][4]. The vulnerability does not affect users who have configured XStream's security framework with a whitelist restricted to minimal required types [3].

Mitigation

The issue is fixed in XStream version 1.4.16. Users relying on the default blacklist must upgrade to at least this version. As a workaround, deploying a whitelist-based security setup as recommended by the XStream project eliminates the risk [1][3][4].