CVE-2021-29505

HIGH NUCLEI

XStream < 1.4.17 - Remote Code Execution via Untrusted Data Deserialization

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2021-29505. PoCs published by MyBlackManba, JAckLosingHeart, cuijiung. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2021-29505, leveraging XStream deserialization with a crafted XML payload to achieve remote code execution via a malicious RMI server. The PoC uses the CommonsCollections6 gadget chain and includes detailed reproduction steps.

Description

XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.

Exploits (3)

nomisec WORKING POC 6 stars

by MyBlackManba · poc

https://github.com/MyBlackManba/CVE-2021-29505

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2021-29505, leveraging XStream deserialization with a crafted XML payload to achieve remote code execution via a malicious RMI server. The PoC uses the CommonsCollections6 gadget chain and includes detailed reproduction steps.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: XStream (versions affected by CVE-2021-29505)

No auth needed

Prerequisites: Java environment · XStream library · Commons Collections library · ysoserial tool for RMI server setup

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WORKING POC 5 stars

by JAckLosingHeart · javapoc

https://github.com/JAckLosingHeart/CVE-PoC-Collection/tree/main/xstream-CVE-2021-29505

View Code ZIP pw:eip

This is a functional exploit PoC for CVE-2021-29505, demonstrating a deserialization vulnerability in XStream. The code constructs a malicious XML payload that, when deserialized, triggers a chain of gadgets leading to arbitrary code execution via RMI registry interaction.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: XStream (versions prior to 1.4.18)

No auth needed

Prerequisites: XStream library in classpath · Network access to attacker-controlled RMI server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by cuijiung · poc

https://github.com/cuijiung/xstream-CVE-2021-29505

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2021-29505, leveraging XStream deserialization to achieve remote code execution via a crafted XML payload. The payload uses a chain of Java classes to trigger JNDI injection, targeting RMI endpoints.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: XStream (versions prior to 1.4.18)

No auth needed

Prerequisites: XStream library in classpath · Network access to attacker-controlled RMI endpoint

MITRE ATT&CK