6.3

CVSS Score

Basic Information

CVE ID

CVE-2020-26258

GHSA ID

GHSA-4cch-wxpw-8p28

EPSS Score

CWE

CWE-918

Published

12/21/2020

Updated

1/15/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-26258

CVE-2020-26258:
Server-Side Forgery Request can be activated unmarshalling with XStream

Impact

The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream.

Patches

If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15.

Workarounds

The reported vulnerability does not exist running Java 15 or higher.

No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability.

Users of XStream 1.4.14 or below who still insist to use XStream default blacklist - despite that clear recommendation - can use a workaround depending on their version in use.

Users of XStream 1.4.14 can simply add two lines to XStream's setup code:

xstream.denyTypes(new String[]{ "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });

Users of XStream 1.4.14 to 1.4.13 can simply add three lines to XStream's setup code:

xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });

Users of XStream 1.4.12 to 1.4.7 who want to use XStream with a black list will have to setup such a list from scratch and deny at least the following types: javax.imageio.ImageIO$ContainsFilter, java.beans.EventHandler, java.lang.ProcessBuilder, jdk.nashorn.internal.objects.NativeString.class, java.lang.Void and void and deny several types by name pattern.

xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, "jdk.nashorn.internal.objects.NativeString", java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });
xstream.denyTypesByRegExp(new String[]{ ".*\\$LazyIterator", "javax\\.crypto\\..*", ".*\\.ReadAllStream\\$FileStream" });

Users of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:

xstream.registerConverter(new Converter() {
  public boolean canConvert(Class type) {
    return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class
        || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || type.getName().equals("jdk.nashorn.internal.objects.NativeString")
        || type == java.lang.Void.class || void.class || Proxy.isProxy(type))
        || type.getName().startsWith("javax.crypto.") || type.getName().endsWith("$LazyIterator") || type.getName().endsWith(".ReadAllStream$FileStream"));
  }

  public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
    throw new ConversionException("Unsupported type due to security reasons.");
  }

  public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
    throw new ConversionException("Unsupported type due to security reasons.");
  }
}, XStream.PRIORITY_LOW);

For more information

If you have any questions or comments about this advisory:

Open an issue in XStream
Contact us at XStream Google Group

(GitHub Advisory)

6.3

CVSS Score

Basic Information

CVE ID

CVE-2020-26258

GHSA ID

GHSA-4cch-wxpw-8p28

EPSS Score

CWE

CWE-918

Published

12/21/2020

Updated

1/15/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.thoughtworks.xstream:xstream	maven	< 1.4.15	1.4.15

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from XStream's deserialization of specific Java classes that enable SSRF/RCE vectors. The advisory explicitly lists classes like NativeString, ImageIO$ContainsFilter, and ProcessBuilder in its workarounds, indicating their converters are vulnerable when not properly restricted. These classes' deserialization handlers allow attacker-controlled input to trigger unintended network requests or command execution. While exact XStream function names aren't provided, the classes themselves are the root cause via their default converters.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** vuln*r**ility m*y *llow * r*mot* *tt**k*r to r*qu*st **t* *rom int*rn*l r*sour**s t**t *r* not pu*li*ly *v*il**l* only *y m*nipul*tin* t** pro**ss** input str**m. ### P*t***s I* you r*ly on XStr**m's ****ult *l**klist o* t** [S**urity

Reasoning

T** vuln*r**ility st*ms *rom XStr**m's **s*ri*liz*tion o* sp**i*i* J*v* *l*ss*s t**t *n**l* SSR*/R** v**tors. T** **visory *xpli*itly lists *l*ss*s lik* N*tiv*Strin*, Im***IO$*ont*ins*ilt*r, *n* Pro**ss*uil**r in its work*roun*s, in*i**tin* t**ir *on

6.3

Basic Information

Concerned about an active attack path?

CVE-2020-26258: Server-Side Forgery Request can be activated unmarshalling with XStream

Impact

Patches

Workarounds

For more information

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-26258:
Server-Side Forgery Request can be activated unmarshalling with XStream

Vulnerability Intelligence
Miggo AI