CVE-2017-7957

HIGH

Redhat Fuse < 1.4.9 - Improper Input Validation

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-7957. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository contains benchmarking code for XStream but lacks any exploit code or technical analysis related to CVE-2017-7957. The files are part of a performance testing framework and do not demonstrate the vulnerability.

Description

XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.

Exploits (2)

nomisec STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2017-7957-xstream-vulnerable

This repository contains benchmarking code for XStream but lacks any exploit code or technical analysis related to CVE-2017-7957. The files are part of a performance testing framework and do not demonstrate the vulnerability.

Classification
Stub 90%
Attack Type
Deserialization
Complexity
Theoretical
Reliability
Theoretical
Target: XStream (version not specified)
No auth needed
Prerequisites: None identified
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec STUB
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2017-7957-xstream-vulnerable

The repository contains only benchmarking code for XStream and lacks any exploit or vulnerability demonstration for CVE-2017-7957. No PoC or technical analysis of the deserialization vulnerability is present.

Classification
Stub 90%
Attack Type
Deserialization
Complexity
Trivial
Reliability
Theoretical
Target: XStream (version not specified)
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2888
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1832
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2889
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039499
Broken Link, Permissions Required x_refsource_confirm
https://www-prd-trops.events.ibm.com/node/715749
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/125800
Mailing List, Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2017/dsa-3841
Vendor Advisory x_refsource_confirm
http://x-stream.github.io/CVE-2017-7957.html
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/100687

Scores

CVSS v3 7.5
EPSS 0.0264
EPSS Percentile 86.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-20
Status published
Products (6)
com.thoughtworks.xstream/xstream 0 - 1.4.10Maven
debian/debian_linux 8.0
debian/debian_linux 9.0
redhat/fuse 1.0
redhat/jboss_middleware 1
xstream/xstream < 1.4.9
Published Apr 29, 2017
Tracked Since Feb 18, 2026