A high-severity denial-of-service (DoS) vulnerability, tracked as CVE-2024-47072, has been identified in XStream, a widely used Java library for object serialization. This vulnerability affects all versions of XStream up to and including version 1.4.20 when utilizing the BinaryStreamDriver. The CVSSv3 score for this vulnerability is 7.5, indicating a significant risk to applications that rely on XStream for serialization tasks. Exploiting the vulnerability allows attackers to trigger a stack overflow error, which can cause application crashes and result in service disruptions. This vulnerability is particularly concerning for systems that process untrusted or external input, making them more susceptible to exploitation.
The vulnerability originates from insecure handling of string value IDs during the deserialization process. The BinaryStreamDriver in XStream optimizes the mapping of string values to IDs, but a flaw in its implementation allows attackers to craft malicious input. This crafted input leads to an endless recursion loop in the ID mapping process, ultimately causing a stack overflow. The recursion continues indefinitely, overwhelming the application’s stack, which results in the termination of the application. The flaw is specifically present in versions of XStream up to 1.4.20, which means any application using these versions to deserialize untrusted data could fall victim to this attack.
Security researcher Alexis Challande, from Trail of Bits, discovered and responsibly disclosed this vulnerability. Since then, the XStream project has responded by releasing version 1.4.21, which includes a patch addressing the issue. The patch corrects the recursion handling within the BinaryStreamDriver, effectively mitigating the risk of a stack overflow and the resulting DoS condition. As the flaw has been publicly disclosed, applications that have not yet upgraded to the patched version are vulnerable to exploitation, and attackers could exploit the flaw to disrupt services or crash affected applications.
To protect their systems, XStream users are strongly urged to upgrade to version 1.4.21, which includes the necessary fixes for this high-severity vulnerability. In the interim, while upgrading is the optimal solution, a temporary workaround is available. Users can implement error handling mechanisms within their client code to catch the StackOverflowError and prevent application crashes. However, it’s important to recognize that this workaround does not resolve the underlying vulnerability and should not be considered a permanent fix. The best approach remains to upgrade to the patched version as soon as possible to eliminate the risk entirely.