Select Page

Feb 8, 2023

Breaking the Mold: Halting a Hacker’s Code ep. 9 – XStream Stack Overflow Denial of Service Vulnerability



XStream is a Java-based library for serializing Java objects to XML and back again. Recently, the highly severe XStream stack overflow denial of service vulnerability emerged. This vulnerability makes it possible for a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service, by manipulating the input stream.


Users can not only use XStream to marshal Java objects to XML, but also unmarshal XML to Java objects with XStream.

In order to convert XML back into Java objects, XStream needs the type information of the objects included in the stream that is processed during unmarshalling. An attacker can process the input stream, then replace or inject objects. In that way, As soon as the XML gets unmarshalled, the recursive hash calculation is entered, and the executing thread is aborted with a stack overflow error, leading to a denial of service.

Affected Version

XStream <= 1.4.19


1. Official fix: The vendor has released the patches, and we recommend that users upgrade to XStream 1.4.20 or a later version. Please visit:

2. Workarounds on GitHub: Mitigate this risk by catching the StackOverflowError in the client code calling XStream. Please visit:

Implementing the Fix

The Hillstone Networks Intrusion Prevention System (IPS) and Hillstone Server Breach Detection System (sBDS) can support the detection and protection of this vulnerability.

Figure 1. Hillstone Networks IPS detects and protects users from this vulnerability
Figure 2. Upgrade IDS signature database to make Hillstone Networks sBDS detect and protect users from this vulnerability

The hotspot intelligence of this vulnerability is available on Hillstone Networks iSource as well.

Figure 3. The intelligence of this vulnerability on Hillstone Networks iSource