CVE-2021-43859

HIGH

XStream <1.4.19 - DoS

Title source: llm

Description

XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.

Exploits (2)

nomisec STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2021-43859-xstream-vulnerable
nomisec STUB
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2021-43859-xstream-vulnerable

References (10)

Scores

CVSS v3 7.5
EPSS 0.0186
EPSS Percentile 83.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-400
Status published
Products (18)
com.thoughtworks.xstream/xstream 0 - 1.4.19Maven
debian/debian_linux 9.0
fedoraproject/fedora 34
fedoraproject/fedora 35
jenkins/jenkins < 2.319.3
oracle/commerce_guided_search 11.3.2
oracle/communications_brm_-_elastic_charging_engine 12.0.0.5.0
oracle/communications_brm_-_elastic_charging_engine < 12.0.0.4.6
oracle/communications_cloud_native_core_automated_test_suite 1.9.0
oracle/communications_diameter_intelligence_hub 8.0.0 - 8.1.0
... and 8 more
Published Feb 01, 2022
Tracked Since Feb 18, 2026