Advisory Database
  • Advisories
  • Dependency Scanning
  1. maven
  2. ›
  3. com.thoughtworks.xstream/xstream
  4. ›
  5. CVE-2017-7957

CVE-2017-7957: Denial of service in XStream

June 30, 2020 (updated May 23, 2025)

XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type ‘void’ during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call.

References

  • access.redhat.com/errata/RHSA-2017:1832
  • access.redhat.com/errata/RHSA-2017:2888
  • access.redhat.com/errata/RHSA-2017:2889
  • exchange.xforce.ibmcloud.com/vulnerabilities/125800
  • github.com/advisories/GHSA-7hwc-46rm-65jh
  • github.com/x-stream/xstream
  • github.com/x-stream/xstream/commit/6e546ec366419158b1e393211be6d78ab9604ab
  • github.com/x-stream/xstream/commit/8542d02d9ac5d384c85f4b33d6c1888c53bd55d
  • github.com/x-stream/xstream/commit/b3570be2f39234e61f99f9a20640756ea71b1b4
  • nvd.nist.gov/vuln/detail/CVE-2017-7957
  • www-prd-trops.events.ibm.com/node/715749

Code Behaviors & Features

Detect and mitigate CVE-2017-7957 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 1.4.10

Fixed versions

  • 1.4.10

Solution

Upgrade to version 1.4.10 or above.

Impact 7.5 HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Learn more about CVSS

Weakness

  • CWE-20: Improper Input Validation

Source file

maven/com.thoughtworks.xstream/xstream/CVE-2017-7957.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Sat, 23 Aug 2025 00:18:49 +0000.