CVE-2021-43859

HIGH

XStream <1.4.19 - DoS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-43859. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository appears to be a fork or snapshot of the XStream project but lacks any exploit code or technical analysis related to CVE-2021-43859. It contains benchmarking tools and general project files without demonstrating the vulnerability.

Description

XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.

Exploits (2)

nomisec STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2021-43859-xstream-vulnerable

This repository appears to be a fork or snapshot of the XStream project but lacks any exploit code or technical analysis related to CVE-2021-43859. It contains benchmarking tools and general project files without demonstrating the vulnerability.

Classification
Stub 90%
Attack Type
Deserialization
Complexity
Theoretical
Reliability
Theoretical
Target: XStream (versions < 1.4.19)
No auth needed
Prerequisites: None identified in the repository
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec STUB
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2021-43859-xstream-vulnerable

This repository appears to be a fork or mirror of the XStream project without any exploit code or technical analysis specific to CVE-2021-43859. It contains benchmarking tools and general project files but lacks a functional PoC or detailed writeup.

Classification
Stub 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Theoretical
Target: XStream (versions < 1.4.19)
No auth needed
Prerequisites: Vulnerable XStream version · Ability to send crafted serialized data
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (10)

Core 10
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf
Exploit, Vendor Advisory x_refsource_misc
https://x-stream.github.io/CVE-2021-43859.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/02/09/1
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/02/msg00018.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 7.5
EPSS 0.0186
EPSS Percentile 83.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-400
Status published
Products (18)
com.thoughtworks.xstream/xstream 0 - 1.4.19Maven
debian/debian_linux 9.0
fedoraproject/fedora 34
fedoraproject/fedora 35
jenkins/jenkins < 2.319.3
oracle/commerce_guided_search 11.3.2
oracle/communications_brm_-_elastic_charging_engine 12.0.0.5.0
oracle/communications_brm_-_elastic_charging_engine < 12.0.0.4.6
oracle/communications_cloud_native_core_automated_test_suite 1.9.0
oracle/communications_diameter_intelligence_hub 8.0.0 - 8.1.0
... and 8 more
Published Feb 01, 2022
Tracked Since Feb 18, 2026