Stack Buffer Overflow in xstream

Description

XStream, a Java library for serializing objects to XML and back, is vulnerable to a denial of service (DoS) attack due to a stack overflow. The vulnerability arises because XStream processes type information from the input stream during unmarshalling to recreate objects. An attacker can craft XML input containing deeply nested elements, causing the recursion depth to exceed the stack limit and resulting in a stack overflow error [2].

Exploitation

An attacker can exploit this vulnerability by supplying a malicious XML payload to an application that uses XStream to unmarshal user-supplied data. No authentication is required; the attacker only needs to be able to send the crafted input to the parser. The provided proof-of-concept demonstrates that nesting 10,000 `` elements is sufficient to trigger the overflow [2].

Impact

Successful exploitation causes the executing thread to abort with a StackOverflowError, leading to a denial of service. The application may become unresponsive or crash, depending on how the error is handled [4].

Mitigation

XStream version 1.4.20 addresses the issue by catching the StackOverflowError and throwing an InputManipulationException instead, preventing the crash. Users should upgrade to this version or later. As a workaround, client code can catch StackOverflowError when calling XStream [2][4].