CVE-2021-43859 is a medium-severity vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the open-source Java library XStream, which is widely used for serializing objects to XML and deserializing XML back into objects. Versions of XStream prior to 1.4.19 are vulnerable to a denial-of-service (DoS) attack where a remote attacker can craft malicious input streams that cause the target system to consume excessive CPU resources, potentially reaching 100% CPU utilization. This resource exhaustion occurs due to the way XStream processes input streams, particularly when adding elements to collections during deserialization. The vulnerability can be triggered remotely without authentication, simply by manipulating the XML input processed by the library. The impact is primarily a denial of service, as the system becomes unresponsive or severely degraded due to CPU exhaustion. XStream 1.4.19 addresses this issue by monitoring and accumulating the time taken to add elements to collections and throwing an exception if a predefined threshold is exceeded, effectively preventing runaway resource consumption. For users unable to upgrade immediately, setting the NO_REFERENCE mode can mitigate the risk by preventing recursive processing that leads to excessive resource use. Additional workarounds are documented in GHSA-rmr5-cpv2-vgjf. There are no known exploits in the wild at this time, but the vulnerability poses a risk to any Java application using vulnerable versions of XStream, especially those exposed to untrusted XML input streams.

For European organizations, the primary impact of this vulnerability is the risk of denial-of-service attacks that can disrupt critical applications relying on XStream for XML processing. This can affect availability of services, leading to operational downtime, degraded performance, and potential financial losses. Industries with heavy reliance on Java-based middleware, enterprise applications, or integration platforms that use XStream are particularly at risk. The vulnerability does not directly compromise confidentiality or integrity but can indirectly affect business continuity and service reliability. Organizations providing public-facing APIs or services that accept XML input are more exposed, as attackers can remotely trigger the CPU exhaustion without authentication or user interaction. This could impact sectors such as finance, telecommunications, manufacturing, and government services across Europe, where Java applications are prevalent. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits in the future.

1. Upgrade all instances of XStream to version 1.4.19 or later as soon as possible to benefit from the built-in protection against uncontrolled resource consumption. 2. For environments where immediate upgrade is not feasible, configure XStream to use the NO_REFERENCE mode to prevent recursive deserialization that leads to excessive CPU usage. 3. Implement input validation and filtering to restrict or sanitize XML input streams before processing, limiting the complexity and size of XML documents accepted by the application. 4. Employ runtime monitoring and alerting on CPU usage spikes in applications using XStream to detect potential exploitation attempts early. 5. Use application-level rate limiting or throttling on endpoints that accept XML input to reduce the risk of resource exhaustion from repeated malicious requests. 6. Conduct code reviews and dependency audits to identify all usages of XStream and ensure they are updated or mitigated accordingly. 7. Consider deploying Web Application Firewalls (WAFs) with XML anomaly detection capabilities to block suspicious XML payloads targeting deserialization vulnerabilities.