XStream is a popular open-source library used to serialize and deserialize objects to and from XML. Recently, a critical vulnerability in XStream was discovered that could allow an attacker to execute arbitrary code remotely. In this article, we will explore that vulnerability in detail, including the vulnerable code and how it can be exploited, as well as provide recommendations for mitigating the risk.

The Vulnerable Code

The vulnerability lies in the way XStream processes input streams. Specifically, XStream allows an attacker to inject code into an object's data field by manipulating the input stream. This is because XStream uses a default converter that does not perform any input validation or sanitization. Here is an example of the vulnerable code:

ObjectInputStream in = xstream.createObjectInputStream(req.getInputStream());

This specific code snippet is an example of how the vulnerability can be exploited to execute arbitrary code on a target system. It allows an attacker to send a serialized Java object that contains malicious code to a vulnerable application that uses the library.

The code begins by creating an instance of ObjectInputStream by calling the createObjectInputStream() method. This object is then initialized with the input stream obtained from the “req” object, which is assumed to be the HTTP request object received by the application.

The Exploit

An attacker can exploit this vulnerability by crafting a specially designed XML input that contains malicious code. Once the input is deserialized, the malicious code is executed.

This code is often used as a proof-of-concept for CVE-2021-39144 vulnerability:

import requests
import os
import base64

payload = """
  <void class="java.lang.ProcessBuilder">
    <array class="java.lang.String" length="3">
      <void index="0">
      <void index="1">
      <void index="2">
    <void method="start"/>

exploit = "cat /etc/passwd"

url = "http://target.com/vulnerable-endpoint"

encoded_payload = base64.b64encode(payload.format(exploit).encode()).decode()

headers = {
    "Content-Type": "application/xml",
    "X-Stream-Authorization": "Basic {}".format(encoded_payload)

response = requests.get(url, headers=headers)


The code is written in Python and uses the requests library to send a GET request to a vulnerable endpoint. The payload is an XML document that contains a Java object which, when deserialized, will execute a system command. The command to be executed is specified in the exploit variable.

The payload is encoded in Base64 and added to the X-Stream-Authorization header of the request. This is because the exploitation of this vulnerability requires an authenticated user session, and takes advantage of a feature in XStream that allows custom objects to be deserialized from headers.

When the vulnerable server receives the request, it attempts to deserialize the XML payload using XStream. The payload contains a Java object that creates a new process using the ProcessBuilder class, and executes the specified command. This particular exploit is attempting to execute the cat /etc/passwd command, which is a common way to obtain information about the system and its users. However, in a real attack scenario, the attacker could use this vulnerability to execute any other possible command on the system, potentially leading to a complete compromise of the server.


CVE-2021-39144 affects all systems that use the XStream library. This includes a wide range of systems, such as web applications, enterprise applications, and other software that uses Java-based technologies. Any system that uses it to deserialize XML input from untrusted sources is vulnerable to this attack.

It is important to note that this vulnerability affects all versions of XStream up to and including version 1.4.15, which was the latest version at the time the vulnerability was discovered. Therefore, to mitigate the risk of becoming a victim of this vulnerability, it is recommended to update to the latest version of XStream, which includes a fix. Additionally, it is recommended to make validation and sanitization of all the input data a common routine, especially when coming from untrusted sources, in order to prevent injection attacks.

Subscribe to be updated on the new content!

Subscription Form (#4)