CVE DATABASE / CVE-2021-39144

CVE-2021-39144

XStream Remote Code Execution Vulnerability

CVSS 8.5 · HIGH ⚠ CISA KEV — ACTIVELY EXPLOITED

On the CISA KEV catalog

Confirmed exploited in the wild. Added 2023-03-10. Federal remediation due 2023-03-31.
Required action: Apply updates per vendor instructions.

Summary

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS 3.1 breakdown

Base score	8.5 (HIGH)
Vector	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack vector	NETWORK
Attack complexity	HIGH
Privileges required	LOW
User interaction	NONE
Scope	CHANGED
Confidentiality	HIGH
Integrity	HIGH
Availability	HIGH

Weakness type (CWE)

Affected products

Xstream xstreamDebian debian linuxFedoraproject fedoraNetapp snapmanagerOracle business activity monitoringOracle commerce guided searchOracle communications billing and revenue management elastic charging engineOracle communications cloud native core automated test suiteOracle communications cloud native core binding support functionOracle communications cloud native core policyOracle communications unified inventory managementOracle retail xstore point of serviceOracle utilities frameworkOracle utilities testing acceleratorOracle webcenter portal

Check this CVE live

Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.

References

Data: NIST NVD + CISA KEV. NVD last modified 2025-10-24. Always verify against the vendor advisory before acting.