A Server-Side Forgery Request vulnerability in XStream via HashMap unmarshaling
Description
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.18.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XStream deserialization vulnerability allows SSRF to internal resources via manipulated input stream on Java 8-14.
Vulnerability
XStream versions up to and including 1.4.17, when used with Java runtime versions 8 to 14 and relying on the default blacklist security framework, are vulnerable to a server-side request forgery (SSRF) [1]. The vulnerability exists because XStream reconstructs objects based on type information contained in the XML input during unmarshalling. An attacker can inject manipulated type information, such as jdk.nashorn.internal.runtime.Source_-URLData, causing XStream to create objects that initiate HTTP requests to arbitrary URLs [2].
Exploitation
An attacker with the ability to provide a crafted XML payload to an XStream endpoint can exploit this vulnerability. No authentication is required if the XStream instance is exposed. The attacker marshalls a simple HashMap to XML, then replaces the XML content with a specially crafted snippet that includes a URL pointing to an internal resource (e.g., http://localhost:8080/internal/). Unmarshalling this XML causes XStream to make a request to that URL, effectively performing an SSRF [2].
Impact
A successful exploit allows the attacker to make arbitrary HTTP requests from the server hosting XStream to internal resources (intranet or localhost) that are not publicly accessible. This can lead to disclosure of sensitive data or interaction with internal services. The vulnerability does not directly enable remote code execution but can be a stepping stone for further attacks [1][2].
Mitigation
Users who have set up XStream's security framework with a whitelist limited to minimal required types are not affected. For those relying on the default blacklist, upgrading to XStream version 1.4.18 or later is necessary [1]. The fixed version was released around the time of the CVE publication (2021-08-23) [2]. No workaround is available for versions that cannot be upgraded.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.thoughtworks.xstream:xstreamMaven | < 1.4.18 | 1.4.18 |
Affected products
7- osv-coords6 versionspkg:apk/chainguard/hadoop-fips-3.3.6pkg:maven/com.thoughtworks.xstream/xstreampkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.2
< 3.3.6-r21+ 5 more
- (no CPE)range: < 3.3.6-r21
- (no CPE)range: < 1.4.18
- (no CPE)range: < 1.4.18-3.14.1
- (no CPE)range: < 1.4.18-3.14.1
- (no CPE)range: < 1.4.18-3.14.1
- (no CPE)range: < 1.4.18-3.14.1
- x-stream/xstreamv5Range: < 1.4.18
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
17- github.com/advisories/GHSA-xw4p-crpj-vjx2ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-39152ghsaADVISORY
- www.debian.org/security/2021/dsa-5004ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2ghsax_refsource_CONFIRMWEB
- lists.debian.org/debian-lts-announce/2021/09/msg00017.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREBghsaWEB
- security.netapp.com/advisory/ntap-20210923-0003ghsaWEB
- security.netapp.com/advisory/ntap-20210923-0003/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
- x-stream.github.io/CVE-2021-39152.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.