CVE-2022-41966

HIGH

XStream < 1.4.20 - Denial of Service via Recursive Hash Calculation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-41966. PoCs published by 111ddea.

AI-analyzed exploit summary This PoC demonstrates a deserialization vulnerability in XStream (CVE-2022-41966) by crafting a malicious XML payload with nested sets and circular references, leading to a denial-of-service (DoS) condition.

Description

XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.

Exploits (1)

nomisec WORKING POC 3 stars

by 111ddea · poc

https://github.com/111ddea/Xstream_cve-2022-41966

View Code ZIP pw:eip

This PoC demonstrates a deserialization vulnerability in XStream (CVE-2022-41966) by crafting a malicious XML payload with nested sets and circular references, leading to a denial-of-service (DoS) condition.

Classification

Working Poc 90%

Attack Type

Deserialization

Complexity

Trivial

Reliability

Reliable

Target: XStream (versions prior to 1.4.20)

No auth needed

Prerequisites: XStream library vulnerable to CVE-2022-41966

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory

https://security.netapp.com/advisory/ntap-20230216-0005/

Mitigation, Third Party Advisory x_refsource_confirm

https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv

Exploit, Vendor Advisory x_refsource_misc

https://x-stream.github.io/CVE-2022-41966.html

Scores

CVSS v3 8.2

EPSS 0.0869

EPSS Percentile 94.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-502 CWE-121 CWE-674 CWE-120

Status published

Products (2)

com.thoughtworks.xstream/xstream 0 - 1.4.20Maven

xstream/xstream < 1.4.20

Published Dec 28, 2022

Tracked Since Feb 18, 2026