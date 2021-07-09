XStream Vulnerabilities — Detection & Mitigation. Looking at RCEs in the XStream Java Library and How you can prevent them. XStream from ThoughtWorks is a simple library to serialize and deserialize objects in XML and JSON format. Compared to alternative XML serialization libraries such as JAXB (JSR-222) and Jackson, developers find XStream both lightweight and easier to integrate within their applications and services. This simplicity, however, comes at a price which is security. Until recently, XStream didn’t come with security features enabled by default. Attackers and security researchers have regularly found ways to exploit applications using XStream to perform Remote Command Execution (RCE), Denial-of-Service (DoS), and even blind Server-Side Request Forgery (SSRF). These could lead to data breaches, ransomware, and even bitcoin mining that we regularly read about.