Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:deb/debian/libxstream-java@1.4.20-1?distro=trixie
Typedeb
Namespacedebian
Namelibxstream-java
Version1.4.20-1
Qualifiers
distro trixie
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version1.4.20-1+deb12u1
Latest_non_vulnerable_version1.4.21-1
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-9442-1vwr-5fbt
vulnerability_id VCID-9442-1vwr-5fbt
summary 
XStream can cause Denial of Service via stack overflow
### Impact
The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream.

### Patches
XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead.

### Workarounds
The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. Following types of the Java runtime are affected:

- java.util.HashMap
- java.util.HashSet
- java.util.Hashtable
- java.util.LinkedHashMap
- java.util.LinkedHashSet
- Other third party collection implementations that use their element's hash code may also be affected

A simple solution is to catch the StackOverflowError in the client code calling XStream.

If your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode:
```Java
XStream xstream = new XStream();
xstream.setMode(XStream.NO_REFERENCES);
```

If your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types:
```Java
XStream xstream = new XStream();
xstream.denyTypes(new Class[]{
 java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class
});
```

Unfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time::
```Java
xstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class);
xstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class);
```
However, this implies that your application does not care about the implementation of the map and all elements are comparable.

### References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2022-41966](https://x-stream.github.io/CVE-2022-41966.html).

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)
* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41966.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41966.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-41966
reference_id
reference_type
scores
0
value 0.02376
scoring_system epss
scoring_elements 0.84993
published_at 2026-04-21T12:55:00Z
1
value 0.02376
scoring_system epss
scoring_elements 0.84911
published_at 2026-04-02T12:55:00Z
2
value 0.02376
scoring_system epss
scoring_elements 0.84929
published_at 2026-04-04T12:55:00Z
3
value 0.02376
scoring_system epss
scoring_elements 0.84934
published_at 2026-04-07T12:55:00Z
4
value 0.02376
scoring_system epss
scoring_elements 0.84957
published_at 2026-04-08T12:55:00Z
5
value 0.02376
scoring_system epss
scoring_elements 0.84963
published_at 2026-04-09T12:55:00Z
6
value 0.02376
scoring_system epss
scoring_elements 0.84979
published_at 2026-04-11T12:55:00Z
7
value 0.02376
scoring_system epss
scoring_elements 0.84978
published_at 2026-04-12T12:55:00Z
8
value 0.02376
scoring_system epss
scoring_elements 0.84973
published_at 2026-04-13T12:55:00Z
9
value 0.02376
scoring_system epss
scoring_elements 0.84994
published_at 2026-04-16T12:55:00Z
10
value 0.02376
scoring_system epss
scoring_elements 0.84996
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-41966
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41966
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41966
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/x-stream/xstream
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/x-stream/xstream
5
reference_url https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-11T14:50:46Z/
url https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-41966
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-41966
7
reference_url https://x-stream.github.io/CVE-2022-41966.html
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-11T14:50:46Z/
url https://x-stream.github.io/CVE-2022-41966.html
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027754
reference_id 1027754
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027754
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2170431
reference_id 2170431
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2170431
10
reference_url https://github.com/advisories/GHSA-j563-grx4-pjpv
reference_id GHSA-j563-grx4-pjpv
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j563-grx4-pjpv
11
reference_url https://access.redhat.com/errata/RHSA-2023:1006
reference_id RHSA-2023:1006
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1006
12
reference_url https://access.redhat.com/errata/RHSA-2023:1177
reference_id RHSA-2023:1177
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1177
13
reference_url https://access.redhat.com/errata/RHSA-2023:1286
reference_id RHSA-2023:1286
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1286
14
reference_url https://access.redhat.com/errata/RHSA-2023:2041
reference_id RHSA-2023:2041
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2041
15
reference_url https://access.redhat.com/errata/RHSA-2023:2100
reference_id RHSA-2023:2100
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2100
16
reference_url https://access.redhat.com/errata/RHSA-2023:3625
reference_id RHSA-2023:3625
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3625
17
reference_url https://access.redhat.com/errata/RHSA-2023:3663
reference_id RHSA-2023:3663
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3663
18
reference_url https://usn.ubuntu.com/5946-1/
reference_id USN-5946-1
reference_type
scores
url https://usn.ubuntu.com/5946-1/
fixed_packages
0
url pkg:deb/debian/libxstream-java@1.4.15-3%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/libxstream-java@1.4.15-3%2Bdeb11u2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libxstream-java@1.4.15-3%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/libxstream-java@1.4.20-1?distro=trixie
purl pkg:deb/debian/libxstream-java@1.4.20-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libxstream-java@1.4.20-1%3Fdistro=trixie
2
url pkg:deb/debian/libxstream-java@1.4.20-1%2Bdeb12u1?distro=trixie
purl pkg:deb/debian/libxstream-java@1.4.20-1%2Bdeb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libxstream-java@1.4.20-1%252Bdeb12u1%3Fdistro=trixie
3
url pkg:deb/debian/libxstream-java@1.4.21-1?distro=trixie
purl pkg:deb/debian/libxstream-java@1.4.21-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libxstream-java@1.4.21-1%3Fdistro=trixie
aliases CVE-2022-41966, GHSA-j563-grx4-pjpv
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9442-1vwr-5fbt
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:deb/debian/libxstream-java@1.4.20-1%3Fdistro=trixie