XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Fri, 23 May 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Xstream
Xstream xstream
CPEs cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*
Vendors & Products Xstream Project
Xstream Project xstream
Xstream
Xstream xstream

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2024-08-04T01:58:18.112Z

Reserved: 2021-08-16T00:00:00

Link: CVE-2021-39140

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2021-08-23T19:15:10.440

Modified: 2025-05-23T16:50:34.143

Link: CVE-2021-39140

cve-icon Redhat

Severity : Moderate

Publid Date: 2021-08-22T00:00:00Z

Links: CVE-2021-39140 - Bugzilla

cve-icon OpenCVE Enrichment

No data.