7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-40151

GHSA ID

GHSA-f8cc-g7j8-xxpm

EPSS Score

0.42223%

CWE

CWE-121

Published

12/30/2022

Updated

1/7/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-40151

CVE-2022-40151: XStream can cause a Denial of Service by injecting deeply nested objects raising a stack overflow

Impact

The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream.

Patches

XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead.

Workarounds

The only solution is to catch the StackOverflowError in the client code calling XStream.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2022-40151.

Credits

The vulnerability was discovered and reported by Henry Lin of the Google OSS-Fuzz team.

For more information

If you have any questions or comments about this advisory:

Open an issue in XStream
Contact us at XStream Google Group

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-40151

CVE-2022-40151:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-40151

GHSA ID

GHSA-f8cc-g7j8-xxpm

EPSS Score

0.42223%

CWE

CWE-121

Published

12/30/2022

Updated

1/7/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.thoughtworks.xstream:xstream	maven	< 1.4.20	1.4.20

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from uncontrolled recursion during XML unmarshalling of deeply nested structures. The TreeUnmarshaller.startElement method is responsible for processing nested elements recursively. Pre-1.4.20 versions lacked depth tracking in this critical path, allowing attackers to craft malicious payloads that exhaust the call stack. The patch in 1.4.20 introduced depth validation in this unmarshalling process, confirming this as the vulnerable code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-40151: XStream can cause a Denial of Service by injecting deeply nested objects raising a stack overflow

Impact

Patches

Workarounds

References

Credits

For more information

CVE-2022-40151:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

7.5

7.5

Technical Details

CVE-2022-40151: XStream can cause a Denial of Service by injecting deeply nested objects raising a stack overflow

Impact

Patches

Workarounds

References

Credits

For more information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI