Skip to main content

CVE-2021-29505: CWE-94: Improper Control of Generation of Code ('Code Injection') in x-stream xstream

High
VulnerabilityCVE-2021-29505cvecve-2021-29505cwe-94cwe-502
Published: Fri May 28 2021 (05/28/2021, 21:00:19 UTC)
Source: CVE Database V5
Vendor/Project: x-stream
Product: xstream

Description

XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.

AI-Powered Analysis

AILast updated: 07/07/2025, 21:58:32 UTC

Technical Analysis

CVE-2021-29505 is a high-severity vulnerability affecting versions of the XStream library prior to 1.4.17. XStream is a widely used Java library that serializes objects to XML and deserializes XML back into Java objects. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code, commonly known as code injection) and CWE-502 (Deserialization of Untrusted Data). It arises because XStream processes XML input streams without sufficient validation or restriction, allowing an attacker with limited privileges to craft malicious XML payloads that, when deserialized, can execute arbitrary code on the host system. This can lead to full compromise of the affected system. The vulnerability requires that the attacker has some level of access to supply input to the deserialization process but does not require user interaction. The risk is mitigated if the application using XStream has implemented a strict security framework whitelist limiting deserialization to minimal required types. The vulnerability was patched in XStream version 1.4.17, which introduced improved security controls to prevent unsafe deserialization. The CVSS v3.1 score is 7.5, reflecting a high impact on confidentiality, integrity, and availability, with network attack vector, low privileges required, and no user interaction needed. No known exploits in the wild have been reported as of the publication date, but the potential for remote code execution makes this a critical concern for applications relying on vulnerable XStream versions.

Potential Impact

For European organizations, the impact of this vulnerability can be significant, especially for those using Java applications that incorporate XStream for XML serialization and deserialization. Exploitation can lead to remote code execution, allowing attackers to gain unauthorized access, steal sensitive data, disrupt services, or move laterally within networks. This can affect sectors such as finance, healthcare, government, and critical infrastructure, where Java-based enterprise applications are common. The breach of confidentiality and integrity could result in regulatory penalties under GDPR due to data exposure. Additionally, availability impacts could disrupt business operations. The fact that exploitation requires only low privileges but no user interaction increases the risk in environments where untrusted input is processed. Organizations that have not implemented strict type whitelisting or have not updated to the patched version remain vulnerable. Given the widespread use of Java and XStream in Europe, the threat is relevant across multiple industries and organizational sizes.

Mitigation Recommendations

1. Immediate upgrade to XStream version 1.4.17 or later to ensure the vulnerability is patched. 2. Implement strict security framework configurations in XStream by enabling whitelisting of only the minimal required classes for deserialization, thereby preventing processing of malicious payloads. 3. Conduct a thorough audit of all Java applications using XStream to identify vulnerable versions and usage patterns. 4. Restrict access to interfaces or services that accept XML input for deserialization, applying network segmentation and access controls to limit exposure. 5. Employ runtime application self-protection (RASP) or Web Application Firewalls (WAFs) with rules to detect and block suspicious XML payloads indicative of exploitation attempts. 6. Monitor logs and network traffic for unusual deserialization activity or anomalies related to XStream usage. 7. Educate developers and security teams about secure deserialization practices and the risks associated with processing untrusted data. 8. Incorporate deserialization security checks into the software development lifecycle and continuous integration pipelines to prevent reintroduction of vulnerable code.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2021-03-30T00:00:00
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6838f151182aa0cae293f9cb

Added to database: 5/29/2025, 11:44:17 PM

Last enriched: 7/7/2025, 9:58:32 PM

Last updated: 7/31/2025, 2:37:33 AM

Views: 9

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats