XStream is vulnerable to an Arbitrary Code Execution attack
Description
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XStream before version 1.4.16 is vulnerable to remote code execution via a crafted input stream.
Vulnerability
Overview CVE-2021-21351 is a deserialization vulnerability in XStream, a Java library for XML serialization. The flaw resides in the unmarshalling process where type information from the input stream is used to create objects. An attacker can inject malicious data to load and execute arbitrary code from a remote host [1][3].
Exploitation
The attack requires no authentication, only the ability to supply a manipulated input stream to XStream. The proof-of-concept in [4] demonstrates how to craft an XML payload using a TreeSet and JNDI injection to trigger remote code execution. This is possible because XStream's default blacklist is insufficient; a whitelist-based security framework is recommended [2].
Impact
Successful exploitation allows an attacker to execute arbitrary code on the server, potentially leading to full system compromise, data theft, or denial of service [2].
Mitigation
Users should upgrade to XStream 1.4.16 or later [1]. If upgrading is not possible, configure XStream's security framework with a whitelist of allowed classes to limit the attack surface [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.thoughtworks.xstream:xstreamMaven | < 1.4.16 | 1.4.16 |
Affected products
10- osv-coords9 versionspkg:bitnami/activemqpkg:maven/com.thoughtworks.xstream/xstreampkg:rpm/opensuse/xstream&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/xstream&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/xstream&distro=openSUSE%20Tumbleweedpkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.2
< 5.15.14+ 8 more
- (no CPE)range: < 5.15.14
- (no CPE)range: < 1.4.16
- (no CPE)range: < 1.4.16-lp152.2.6.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.18-1.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.16-3.8.1
- (no CPE)range: < 1.4.16-3.8.1
- x-stream/xstreamv5Range: < 1.4.16
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
23- github.com/advisories/GHSA-hrcp-8f3q-4w2cghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-21351ghsaADVISORY
- www.debian.org/security/2021/dsa-5004ghsavendor-advisoryx_refsource_DEBIANWEB
- x-stream.github.io/changes.htmlghsax_refsource_MISCWEB
- github.com/x-stream/xstream/security/advisories/GHSA-hrcp-8f3q-4w2cghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2021/04/msg00002.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREBghsaWEB
- security.netapp.com/advisory/ntap-20210430-0002ghsaWEB
- security.netapp.com/advisory/ntap-20210430-0002/mitrex_refsource_CONFIRM
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
- x-stream.github.io/CVE-2021-21351.htmlghsax_refsource_MISCWEB
- x-stream.github.io/security.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.