### Key Information #### Vulnerability ID CVE-2021-39149 #### Vulnerability Type Arbitrary Code Execution Vulnerability #### Affected Versions XStream 1.4.17 and earlier versions #### Description During deserialization, XStream is vulnerable to attacks where an attacker can manipulate the input stream by replacing or injecting objects, leading to arbitrary code execution loaded from a remote server. #### Reproduction Steps 1. Create a simple `LinkedHashSet` and serialize it to XML using XStream. 2. Replace the XML with the following snippet and deserialize it again. ```xml com.amazonaws.services.sns.model.AmazonSNS com.amazonaws.services.sns.model.AmazonSNSClient com.amazonaws.services.sns.model.AmazonSNSClient java.lang.Runtime exec java.lang.String /bin/bash -c touch /tmp/test ``` #### Impact The vulnerability may allow remote attackers to execute arbitrary code by manipulating the processed input stream. #### Mitigation Refer to [workarounds](#workarounds) for mitigation strategies applicable to different versions.