7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-40151

GHSA ID

GHSA-f8cc-g7j8-xxpm

EPSS Score

0.42223%

CWE

CWE-121

Published

12/30/2022

Updated

1/7/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-40151

CVE-2022-40151: XStream can cause a Denial of Service by injecting deeply nested objects raising a stack overflow

Impact

The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream.

Patches

XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead.

Workarounds

The only solution is to catch the StackOverflowError in the client code calling XStream.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2022-40151.

Credits

The vulnerability was discovered and reported by Henry Lin of the Google OSS-Fuzz team.

For more information

If you have any questions or comments about this advisory:

Open an issue in XStream
Contact us at XStream Google Group

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-40151

GHSA ID

GHSA-f8cc-g7j8-xxpm

EPSS Score

0.42223%

CWE

CWE-121

Published

12/30/2022

Updated

1/7/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.thoughtworks.xstream:xstream	maven	< 1.4.20	1.4.20

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from uncontrolled recursion during XML unmarshalling of deeply nested structures. The TreeUnmarshaller.startElement method is responsible for processing nested elements recursively. Pre-1.4.20 versions lacked depth tracking in this critical path, allowing attackers to craft malicious payloads that exhaust the call stack. The patch in 1.4.20 introduced depth validation in this unmarshalling process, confirming this as the vulnerable code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** vuln*r**ility m*y *llow * r*mot* *tt**k*r to t*rmin*t* t** *ppli**tion wit* * st**k ov*r*low *rror r*sultin* in * **ni*l o* s*rvi** only *y m*nipul*tin* t** pro**ss** input str**m. ### P*t***s XStr**m *.*.** **n*l*s t** st**k ov*r*low

Reasoning

T** vuln*r**ility st*ms *rom un*ontroll** r**ursion *urin* XML unm*rs**llin* o* ***ply n*st** stru*tur*s. T** `Tr**Unm*rs**ll*r.st*rt*l*m*nt` m*t*o* is r*sponsi*l* *or pro**ssin* n*st** *l*m*nts r**ursiv*ly. Pr*-*.*.** v*rsions l**k** **pt* tr**kin*

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-40151: XStream can cause a Denial of Service by injecting deeply nested objects raising a stack overflow

Impact

Patches

Workarounds

References

Credits

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI