CVE-2020-26258, CVE-2020-26259: XStream Security Vulnerabilites Alert

On December 13, 2020, XStream issued a risk notice for Server-Side Forgery Requests and Arbitrary File Deletion vulnerabilities. The vulnerability numbers are CVE-2020-26259 and CVE-2020-26258. The vulnerability level is high risk.
On the service running XStream, unauthorized remote attackers can cause arbitrary file deletion/server request forgery by constructing specific serialized data. The POC of the vulnerability has been made public.

Vulnerability Detail

CVE-2020-26258: A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host.

CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights.

Affected version

  • XStream <=1.4.14

Unaffected version

  • XStream 1.4.15


In this regard, we recommend that users upgrade XStream to the latest version in time.