CVE-2024-47072

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-47072
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-47072.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-47072
Aliases
Downstream
Related
Published
2024-11-07T23:38:52Z
Modified
2025-10-20T20:28:06.867022Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
Details

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.

Database specific 
{
    "cwe_ids": [
        "CWE-121",
        "CWE-502"
    ]
}
References

Affected packages

Git / github.com/x-stream/xstream

Affected ranges

Type
GIT
Repo
https://github.com/x-stream/xstream
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e62d2eeea1a627e85caef287e76a9c09078c1798

Affected versions

Other

XSTREAM_1_4_10
XSTREAM_1_4_11
XSTREAM_1_4_11_1
XSTREAM_1_4_12
XSTREAM_1_4_13
XSTREAM_1_4_14
XSTREAM_1_4_15
XSTREAM_1_4_16
XSTREAM_1_4_17
XSTREAM_1_4_18
XSTREAM_1_4_19
XSTREAM_1_4_20
XSTREAM_1_4_5
XSTREAM_1_4_9