XStream is vulnerable to an Arbitrary Code Execution attack
Description
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XStream up to 1.4.17 allows remote code execution via crafted XML input that loads arbitrary classes from a remote server.
Vulnerability
XStream versions up to and including 1.4.17 are vulnerable to arbitrary code execution when unmarshalling XML input. The vulnerability exists because XStream uses type information in the serialized XML to recreate objects, and an attacker can inject malicious type references that cause the loading of arbitrary classes from a remote server. Users who have configured XStream's security framework with a whitelist of allowed types are not affected. [1][2]
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted XML stream to an application that unmarshals XStream data. The attacker does not need authentication or special privileges; only the ability to supply the input. The provided XML includes a manipulated PriorityQueue with entries that trigger the loading of remote classes via javax.naming.ldap.Rdn_-RdnEntry and com.sun.xml.internal.ws.api.message.Packet, ultimately leading to code execution. [2]
Impact
Successful exploitation allows a remote attacker to execute arbitrary code on the target system with the privileges of the application using XStream. This can lead to full compromise of the application and potentially the underlying server, including data theft, malware installation, or further lateral movement. [1][2]
Mitigation
The vulnerability is fixed in XStream version 1.4.18, which no longer uses a blacklist by default (as blacklists are insufficient for general purpose security). Users should upgrade to 1.4.18 or later. As a workaround, users can configure XStream's security framework with a whitelist of allowed types, which prevents the injection of arbitrary classes. [1][2]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.thoughtworks.xstream:xstreamMaven | < 1.4.18 | 1.4.18 |
Affected products
6- ghsa-coords5 versionspkg:maven/com.thoughtworks.xstream/xstreampkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.2
< 1.4.18+ 4 more
- (no CPE)range: < 1.4.18
- (no CPE)range: < 1.4.18-3.14.1
- (no CPE)range: < 1.4.18-3.14.1
- (no CPE)range: < 1.4.18-3.14.1
- (no CPE)range: < 1.4.18-3.14.1
- x-stream/xstreamv5Range: < 1.4.18
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
17- github.com/advisories/GHSA-8jrj-525p-826vghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-39145ghsaADVISORY
- www.debian.org/security/2021/dsa-5004ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/x-stream/xstream/security/advisories/GHSA-8jrj-525p-826vghsax_refsource_CONFIRMWEB
- lists.debian.org/debian-lts-announce/2021/09/msg00017.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREBghsaWEB
- security.netapp.com/advisory/ntap-20210923-0003ghsaWEB
- security.netapp.com/advisory/ntap-20210923-0003/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
- x-stream.github.io/CVE-2021-39145.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.