VulnerableCode Package Details - pkg:maven/com.thoughtworks.xstream/xstream@1.4.20

Search for packages

Vulnerability	Summary	Fixed by
VCID-fcg2-x3s5-wudk Aliases: CVE-2024-47072 GHSA-hfq9-hggm-c56q	XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream ### Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. ### Patches XStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. ### Workarounds The only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2024-47072](https://x-stream.github.io/CVE-2024-47072.html). ### Credits Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.	1.4.21 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-fcg2-x3s5-wudk
Aliases:
CVE-2024-47072
GHSA-hfq9-hggm-c56q

XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream ### Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. ### Patches XStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. ### Workarounds The only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2024-47072](https://x-stream.github.io/CVE-2024-47072.html). ### Credits Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.

1.4.21
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-9442-1vwr-5fbt	XStream can cause Denial of Service via stack overflow ### Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. ### Patches XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead. ### Workarounds The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. Following types of the Java runtime are affected: - java.util.HashMap - java.util.HashSet - java.util.Hashtable - java.util.LinkedHashMap - java.util.LinkedHashSet - Other third party collection implementations that use their element's hash code may also be affected A simple solution is to catch the StackOverflowError in the client code calling XStream. If your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode: ```Java XStream xstream = new XStream(); xstream.setMode(XStream.NO_REFERENCES); ``` If your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types: ```Java XStream xstream = new XStream(); xstream.denyTypes(new Class[]{ java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class }); ``` Unfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time:: ```Java xstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class); xstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class); ``` However, this implies that your application does not care about the implementation of the map and all elements are comparable. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2022-41966](https://x-stream.github.io/CVE-2022-41966.html). ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)	CVE-2022-41966 GHSA-j563-grx4-pjpv
VCID-exrn-u19r-wfd8	Duplicate Advisory: Denial of Service due to parser crash ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of [GHSA-f8cc-g7j8-xxpm](https://github.com/advisories/GHSA-f8cc-g7j8-xxpm). This link is maintained to preserve external references. ## Original Description Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.	GHSA-3mq5-fq9h-gj7j GMS-2022-9109
VCID-hqzr-vc5w-9ff5	Denial of Service due to parser crash Those using FasterXML/woodstox to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. This vulnerability is only relevant for users making use of the DTD parsing functionality.	CVE-2022-40152 GHSA-3f7h-mf4q-vrm4
VCID-mfub-hwcq-pqbt	XStream can cause a Denial of Service by injecting deeply nested objects raising a stack overflow ### Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. ### Patches XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead. ### Workarounds The only solution is to catch the StackOverflowError in the client code calling XStream. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2022-40151](https://x-stream.github.io/CVE-2022-40151.html). ### Credits The vulnerability was discovered and reported by Henry Lin of the Google OSS-Fuzz team. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)	CVE-2022-40151 GHSA-f8cc-g7j8-xxpm

Vulnerability

Summary

Aliases

VCID-9442-1vwr-5fbt

XStream can cause Denial of Service via stack overflow ### Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. ### Patches XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead. ### Workarounds The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. Following types of the Java runtime are affected: - java.util.HashMap - java.util.HashSet - java.util.Hashtable - java.util.LinkedHashMap - java.util.LinkedHashSet - Other third party collection implementations that use their element's hash code may also be affected A simple solution is to catch the StackOverflowError in the client code calling XStream. If your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode: ```Java XStream xstream = new XStream(); xstream.setMode(XStream.NO_REFERENCES); ``` If your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types: ```Java XStream xstream = new XStream(); xstream.denyTypes(new Class[]{ java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class }); ``` Unfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time:: ```Java xstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class); xstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class); ``` However, this implies that your application does not care about the implementation of the map and all elements are comparable. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2022-41966](https://x-stream.github.io/CVE-2022-41966.html). ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)

CVE-2022-41966
GHSA-j563-grx4-pjpv

VCID-exrn-u19r-wfd8

Duplicate Advisory: Denial of Service due to parser crash ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of [GHSA-f8cc-g7j8-xxpm](https://github.com/advisories/GHSA-f8cc-g7j8-xxpm). This link is maintained to preserve external references. ## Original Description Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

GHSA-3mq5-fq9h-gj7j
GMS-2022-9109

VCID-hqzr-vc5w-9ff5

Denial of Service due to parser crash Those using FasterXML/woodstox to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. This vulnerability is only relevant for users making use of the DTD parsing functionality.

CVE-2022-40152
GHSA-3f7h-mf4q-vrm4

VCID-mfub-hwcq-pqbt

XStream can cause a Denial of Service by injecting deeply nested objects raising a stack overflow ### Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. ### Patches XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead. ### Workarounds The only solution is to catch the StackOverflowError in the client code calling XStream. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2022-40151](https://x-stream.github.io/CVE-2022-40151.html). ### Credits The vulnerability was discovered and reported by Henry Lin of the Google OSS-Fuzz team. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)

CVE-2022-40151
GHSA-f8cc-g7j8-xxpm

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:13:41.696811+00:00	GitLab Importer	Affected by	VCID-fcg2-x3s5-wudk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.thoughtworks.xstream/xstream/CVE-2024-47072.yml	38.4.0
2026-04-16T22:18:50.207463+00:00	GitLab Importer	Fixing	VCID-9442-1vwr-5fbt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.thoughtworks.xstream/xstream/CVE-2022-41966.yml	38.4.0
2026-04-16T22:10:20.456751+00:00	GitLab Importer	Fixing	VCID-exrn-u19r-wfd8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.thoughtworks.xstream/xstream/GMS-2022-9109.yml	38.4.0
2026-04-16T22:10:10.786129+00:00	GitLab Importer	Fixing	VCID-hqzr-vc5w-9ff5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.thoughtworks.xstream/xstream/CVE-2022-40152.yml	38.4.0
2026-04-16T22:09:27.787370+00:00	GitLab Importer	Fixing	VCID-mfub-hwcq-pqbt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.thoughtworks.xstream/xstream/CVE-2022-40151.yml	38.4.0
2026-04-12T00:32:13.729938+00:00	GitLab Importer	Affected by	VCID-fcg2-x3s5-wudk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.thoughtworks.xstream/xstream/CVE-2024-47072.yml	38.3.0
2026-04-11T23:36:32.282653+00:00	GitLab Importer	Fixing	VCID-9442-1vwr-5fbt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.thoughtworks.xstream/xstream/CVE-2022-41966.yml	38.3.0
2026-04-11T23:26:53.791888+00:00	GitLab Importer	Fixing	VCID-exrn-u19r-wfd8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.thoughtworks.xstream/xstream/GMS-2022-9109.yml	38.3.0
2026-04-11T23:26:43.331037+00:00	GitLab Importer	Fixing	VCID-hqzr-vc5w-9ff5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.thoughtworks.xstream/xstream/CVE-2022-40152.yml	38.3.0
2026-04-11T23:25:57.584257+00:00	GitLab Importer	Fixing	VCID-mfub-hwcq-pqbt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.thoughtworks.xstream/xstream/CVE-2022-40151.yml	38.3.0
2026-04-05T02:23:06.143476+00:00	GitLab Importer	Fixing	VCID-exrn-u19r-wfd8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.thoughtworks.xstream/xstream/GMS-2022-9109.yml	38.1.0
2026-04-03T00:39:57.312752+00:00	GitLab Importer	Affected by	VCID-fcg2-x3s5-wudk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.thoughtworks.xstream/xstream/CVE-2024-47072.yml	38.1.0
2026-04-02T23:41:02.164033+00:00	GitLab Importer	Fixing	VCID-9442-1vwr-5fbt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.thoughtworks.xstream/xstream/CVE-2022-41966.yml	38.1.0
2026-04-02T23:32:47.962613+00:00	GitLab Importer	Fixing	VCID-hqzr-vc5w-9ff5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.thoughtworks.xstream/xstream/CVE-2022-40152.yml	38.1.0
2026-04-02T23:32:09.420068+00:00	GitLab Importer	Fixing	VCID-mfub-hwcq-pqbt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.thoughtworks.xstream/xstream/CVE-2022-40151.yml	38.1.0
2026-04-02T16:58:42.487931+00:00	GHSA Importer	Fixing	VCID-mfub-hwcq-pqbt	https://github.com/advisories/GHSA-f8cc-g7j8-xxpm	38.1.0
2026-04-02T16:58:42.232238+00:00	GHSA Importer	Fixing	VCID-9442-1vwr-5fbt	https://github.com/advisories/GHSA-j563-grx4-pjpv	38.1.0
2026-04-01T18:03:37.015824+00:00	GitLab Importer	Fixing	VCID-9442-1vwr-5fbt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.thoughtworks.xstream/xstream/CVE-2022-41966.yml	38.0.0
2026-04-01T17:54:30.400744+00:00	GitLab Importer	Fixing	VCID-hqzr-vc5w-9ff5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.thoughtworks.xstream/xstream/CVE-2022-40152.yml	38.0.0
2026-04-01T17:53:50.851012+00:00	GitLab Importer	Fixing	VCID-mfub-hwcq-pqbt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.thoughtworks.xstream/xstream/CVE-2022-40151.yml	38.0.0
2026-04-01T13:05:59.645516+00:00	GithubOSV Importer	Fixing	VCID-9442-1vwr-5fbt	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-j563-grx4-pjpv/GHSA-j563-grx4-pjpv.json	38.0.0
2026-04-01T13:05:58.650561+00:00	GithubOSV Importer	Fixing	VCID-mfub-hwcq-pqbt	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-f8cc-g7j8-xxpm/GHSA-f8cc-g7j8-xxpm.json	38.0.0