Denial of service in XStream

RSS Feed HIGH

GHSA-7hwc-46rm-65jh CVE-2017-7957

Description:

XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call.

Affected Packages

Ecosystem	Package	Vulnerable Versions	Patched Version
maven	`com.thoughtworks.xstream:xstream`	`< 1.4.10`	`1.4.10`

Related Dependabot Pull Requests

All Open Closed Merged

No Related Pull Requests

No Dependabot pull requests have been found that reference this security advisory.

Actions

View on GitHub All Advisories

Advisory Details

Published:	June 30, 2020 almost 6 years ago
Updated:	June 04, 2026 13 days ago
CVSS Score:	7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS:	2.64% 86th percentile
Source:	Github
Classification:	GENERAL
UUID:	`MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTdod2MtNDZybS02NWpo`

References

https://nvd.nist.gov/vuln/detail/CVE-2017-7957
https://github.com/x-stream/xstream/commit/6e546ec366419158b1e393211be6d78ab9604ab
https://github.com/x-stream/xstream/commit/8542d02d9ac5d384c85f4b33d6c1888c53bd55d
https://github.com/x-stream/xstream/commit/b3570be2f39234e61f99f9a20640756ea71b1b4
https://access.redhat.com/errata/RHSA-2017:1832
https://access.redhat.com/errata/RHSA-2017:2888
https://access.redhat.com/errata/RHSA-2017:2889
https://exchange.xforce.ibmcloud.com/vulnerabilities/125800
https://www-prd-trops.events.ibm.com/node/715749
http://www.debian.org/security/2017/dsa-3841
http://www.securityfocus.com/bid/100687
http://www.securitytracker.com/id/1039499
http://x-stream.github.io/CVE-2017-7957.html
https://github.com/advisories/GHSA-7hwc-46rm-65jh

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Dependabot