PT-2021-7461 · Xstream+6 · Xstream+6

Published

2021-08-23

·

Updated

2025-10-24

·

CVE-2021-39144

CVSS v3.1

8.5

High

VectorAV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.18
Description The issue is related to a remote code execution vulnerability in the XStream library, which can serialize objects to XML and back again. This vulnerability may allow a remote attacker to execute commands on the host by manipulating the processed input stream. Users who set up XStream's security framework with a whitelist limited to the minimal required types are not affected. The vulnerability is related to deserialization errors and code injection.
Recommendations For versions prior to 1.4.18, consider setting up XStream's security framework with a whitelist limited to the minimal required types to mitigate the risk of exploitation. As a temporary workaround, consider restricting the use of the XStream library until a patch is available. At the moment, there is no information about additional mitigation measures.

Exploit

Fix

Missing Authentication

Deserialization of Untrusted Data

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-306CWE-502CWE-94

Related Identifiers

ALSA-2025_16880
ALT-PU-2022-7660
BDU:2022-06488
CVE-2021-39144
DLA-2769-1
DSA-5004-1
ELSA-2021-3956
GHSA-J9H8-PHRW-H4FH
MGASA-2021-0474
OESA-2021-1337
OPENSUSE-SU-2021:1401-1
OPENSUSE-SU-2021:3476-1
OPENSUSE-SU-2021_1401-1
OPENSUSE-SU-2021_3476-1
OPENSUSE-SU-2024:10592-1
RHSA-2021:3956
RHSA-2021_3956
SUSE-SU-2021:3476-1
SUSE-SU-2021_3476-1
USN-5946-1

Affected Products

Alt Linux
Astra Linux
Linuxmint
Red Hat
Suse
Ubuntu
Xstream