XStream is vulnerable to an Arbitrary Code Execution attack
Description
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XStream up to 1.4.17 allows remote code execution via manipulated XML input if no whitelist security framework is used.
Vulnerability
CVE-2021-39151 is an arbitrary code execution vulnerability in XStream, a Java library for serializing objects to XML and back. All versions up to and including 1.4.17 are affected when used without a whitelist-based security framework. The vulnerability exists because XStream deserializes type information from the input stream, allowing an attacker to inject or replace objects that trigger the execution of arbitrary code loaded from a remote server [1][2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious XML payload that includes type references to specific Java classes, such as javax.swing.event.EventListenerList, com.sun.xml.internal.ws.api.message.Packet, and others. The attacker must be able to send the manipulated XML stream to the XStream unmarshalling process. No authentication or special network position is required; the attack is remote and can be triggered by supplying the malicious input to a vulnerable application [2].
Impact
Successful exploitation allows a remote attacker to execute arbitrary code on the target system. This leads to a complete compromise of confidentiality, integrity, and availability (CIA). The attacker gains the ability to run arbitrary commands, load malicious classes, or exfiltrate sensitive data from the affected host [1][2].
Mitigation
Users of XStream should upgrade to version 1.4.18, which no longer uses a blacklist by default and instead relies on a whitelist that users must configure. The official recommendation is to set up XStream's security framework with a whitelist limited to the minimal required types. No user who has followed this guidance is affected. As of the publication date (2021-08-23), version 1.4.18 is the fixed release [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.thoughtworks.xstream:xstreamMaven | < 1.4.18 | 1.4.18 |
Affected products
6- ghsa-coords5 versionspkg:maven/com.thoughtworks.xstream/xstreampkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.2
< 1.4.18+ 4 more
- (no CPE)range: < 1.4.18
- (no CPE)range: < 1.4.18-3.14.1
- (no CPE)range: < 1.4.18-3.14.1
- (no CPE)range: < 1.4.18-3.14.1
- (no CPE)range: < 1.4.18-3.14.1
- x-stream/xstreamv5Range: < 1.4.18
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
17- github.com/advisories/GHSA-hph2-m3g5-xxv4ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-39151ghsaADVISORY
- www.debian.org/security/2021/dsa-5004ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/x-stream/xstream/security/advisories/GHSA-hph2-m3g5-xxv4ghsax_refsource_CONFIRMWEB
- lists.debian.org/debian-lts-announce/2021/09/msg00017.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREBghsaWEB
- security.netapp.com/advisory/ntap-20210923-0003ghsaWEB
- security.netapp.com/advisory/ntap-20210923-0003/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
- x-stream.github.io/CVE-2021-39151.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.