XStream is vulnerable to an Arbitrary Code Execution attack
Description
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XStream versions <=1.4.17 allow remote code execution via crafted XML when using JDK 1.7u21 or below, or with external Xalan.
Vulnerability
XStream is vulnerable to arbitrary code execution during unmarshalling. The processed input stream contains type information, and an attacker can inject objects that load and execute arbitrary code from a remote host. All versions up to and including 1.4.17 are affected if using the default configuration with JDK 1.7u21 or below, or when using an external Xalan regardless of Java runtime version. Users who have configured XStream's security framework with a whitelist are not affected [1][2][3].
Exploitation
An attacker needs to manipulate the input stream processed by XStream. The steps are: create a simple LinkedHashSet, marshal it to XML, replace the XML with a crafted payload (e.g., a TemplatesImpl object with malicious bytecodes), and unmarshal it again. No authentication or special access is required; the attacker only needs to supply the malicious XML to a vulnerable application [2].
Impact
Successful exploitation allows a remote attacker to load and execute arbitrary code from a remote host. This results in full system compromise, including arbitrary code execution with the privileges of the affected application. The vulnerability is classified as critical [1][2][3].
Mitigation
The vulnerability is fixed in XStream 1.4.18, which no longer uses a blacklist by default (as blacklisting cannot secure general-purpose use). Users should upgrade to version 1.4.18 or later. As a workaround, users can configure XStream's security framework with a whitelist limited to the minimal required types; this prevents the injection of unexpected classes [1][2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.thoughtworks.xstream:xstreamMaven | < 1.4.18 | 1.4.18 |
Affected products
6- ghsa-coords5 versionspkg:maven/com.thoughtworks.xstream/xstreampkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.2
< 1.4.18+ 4 more
- (no CPE)range: < 1.4.18
- (no CPE)range: < 1.4.18-3.14.1
- (no CPE)range: < 1.4.18-3.14.1
- (no CPE)range: < 1.4.18-3.14.1
- (no CPE)range: < 1.4.18-3.14.1
- x-stream/xstreamv5Range: < 1.4.18
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
17- github.com/advisories/GHSA-64xx-cq4q-mf44ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-39139ghsaADVISORY
- www.debian.org/security/2021/dsa-5004ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44ghsax_refsource_CONFIRMWEB
- lists.debian.org/debian-lts-announce/2021/09/msg00017.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREBghsaWEB
- security.netapp.com/advisory/ntap-20210923-0003ghsaWEB
- security.netapp.com/advisory/ntap-20210923-0003/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
- x-stream.github.io/CVE-2021-39139.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.