XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Fri, 23 May 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Xstream
Xstream xstream
CPEs cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*
Vendors & Products Xstream Project
Xstream Project xstream
Xstream
Xstream xstream

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2024-08-04T01:58:18.235Z

Reserved: 2021-08-16T00:00:00

Link: CVE-2021-39149

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2021-08-23T18:15:12.790

Modified: 2025-05-23T16:50:01.620

Link: CVE-2021-39149

cve-icon Redhat

Severity : Important

Publid Date: 2021-08-22T00:00:00Z

Links: CVE-2021-39149 - Bugzilla

cve-icon OpenCVE Enrichment

No data.