Multiple Vulnerabilities Found in XStream

Published on 15 Mar 2021

Updated on 15 Mar 2021

XStream, is an open-source Java library to serialise objects to XML and back again, has released security patches to address multiple vulnerabilities in the product. Some of the vulnerabilities were rated as critical and could lead to a remote code execution attack.


These vulnerabilities are:

  • CVE-2021-21341 -  A vulnerability that could cause a Denial of Service.

  • CVE-2021-21342, CVE-2021-21349 - Server-Side Forgery Request (SSRF) vulnerabilities which could be activated via unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the localhost.

  • CVE-2021-21343 - XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling if the executing process has sufficient rights. 

  • CVE-2021-21344, CVE-2021-21346, CVE-2021-21347, CVE-2021-21350, CVE-2021-21351 - XStream is vulnerable to an Arbitrary Code Execution attack

  • CVE-2021-21345 -  - XStream is vulnerable to an Arbitrary Command Execution attack.

  • CVE-2021-21348 -  XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos).


All versions prior to and including version 1.4.15 are affected by these vulnerabilities. Users and administrators of the affected versions are advised to upgrade to the latest product versions immediately.

More information is available here:
https://x-stream.github.io/security.html