CVE-2021-29505: XStream Remote Command Execution Vulnerability Alert

On May 17, 2021,  XStream issues an alert about remote command execution vulnerability. The CVE number is CVE-2021-29505. This vulnerability has low complexity and high risk.

XStream is a simple library to serialize objects to XML and back again. Through this vulnerability, the attacker constructs a specific xml, bypasses the XStream blacklist, manipulates the processed input stream, and replaces the object, thereby executing local commands on the server. In this regard, we recommend that users upgrade XStream to the latest version in time.

CVE-2020-26259

Affected version

  • XStream <=1.4.16

Unaffected

  • XStream 1.4.17