Recently, XStream officially released a security notice, disclosing a high-risk DoS vulnerability (CVE-2022-41966) in versions earlier than 1.4.20. The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. Currently, the details and POC of this vulnerability have been disclosed and the risk is high.
XStream is a Java class library used to serialize objects to XML (JSON) and back again. If you are an XStream user, check your XStream version and implement timely security hardening.
Severity: important
(Severity: low, moderate, important, and critical)
Affected versions:
XStream < 1.4.20
Secure versions:
XStream >=1.4.20
This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.
http://x-stream.github.io/download.html
If you cannot perform the upgrade in a timely manner, refer to the suggestions provided by the XStream official website to mitigate the problem.
https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv
Get more professional support at any time
Contact Us
