XStream DoS Vulnerability (CVE-2022-41966)
Dec 30, 2022 GMT+08:00
Recently, XStream officially released a security notice, disclosing a high-risk DoS vulnerability (CVE-2022-41966) in versions earlier than 1.4.20. The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. Currently, the details and POC of this vulnerability have been disclosed and the risk is high.
XStream is a Java class library used to serialize objects to XML (JSON) and back again. If you are an XStream user, check your XStream version and implement timely security hardening.
(Severity: low, moderate, important, and critical)
III. Affected Products
XStream < 1.4.20
IV. Vulnerability Handling
This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.
If you cannot perform the upgrade in a timely manner, refer to the suggestions provided by the XStream official website to mitigate the problem.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.