8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-41966

GHSA ID

GHSA-j563-grx4-pjpv

EPSS Score

0.89094%

CWE

CWE-120

Published

12/29/2022

Updated

6/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-41966

CVE-2022-41966: XStream can cause Denial of Service via stack overflow

Impact

The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream.

Patches

XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead.

Workarounds

The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. Following types of the Java runtime are affected:

java.util.HashMap
java.util.HashSet
java.util.Hashtable
java.util.LinkedHashMap
java.util.LinkedHashSet
Other third party collection implementations that use their element's hash code may also be affected

A simple solution is to catch the StackOverflowError in the client code calling XStream.

If your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode:

XStream xstream = new XStream();
xstream.setMode(XStream.NO_REFERENCES);

If your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types:

XStream xstream = new XStream();
xstream.denyTypes(new Class[]{
 java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class
});

Unfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time::

xstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class);
xstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class);

However, this implies that your application does not care about the implementation of the map and all elements are comparable.

References

See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2022-41966.

For more information

If you have any questions or comments about this advisory:

Open an issue in XStream
Contact us at XStream Google Group

(GitHub Advisory)

8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-41966

GHSA ID

GHSA-j563-grx4-pjpv

EPSS Score

0.89094%

CWE

CWE-120

Published

12/29/2022

Updated

6/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.thoughtworks.xstream:xstream	maven	< 1.4.20	1.4.20

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from XStream's collection converters allowing unlimited recursion during deserialization of Java collection types. Specifically:

MapConverter handles HashMap/LinkedHashMap/Hashtable deserialization
SetConverter handles HashSet/LinkedHashSet deserialization These converters reconstruct collection objects from XML without proper depth validation, enabling attackers to craft nested structures that force recursive hashCode() calls. The hash code implementations of these collections recursively calculate member hashes, leading to stack overflow. The workarounds explicitly mention denying these collection types, confirming their converters' involvement. The patch in 1.4.20 likely adds recursion depth checks in these conversion paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** vuln*r**ility m*y *llow * r*mot* *tt**k*r to t*rmin*t* t** *ppli**tion wit* * st**k ov*r*low *rror r*sultin* in * **ni*l o* s*rvi** only *y m*nipul*tin* t** pro**ss** input str**m. ### P*t***s XStr**m *.*.** **n*l*s t** st**k ov*r*low

Reasoning

T** vuln*r**ility st*ms *rom XStr**m's *oll**tion *onv*rt*rs *llowin* unlimit** r**ursion *urin* **s*ri*liz*tion o* J*v* *oll**tion typ*s. Sp**i*i**lly: *. M*p*onv*rt*r **n*l*s **s*M*p/Link****s*M*p/**s*t**l* **s*ri*liz*tion *. S*t*onv*rt*r **n*l*s *

8.2

Basic Information

Concerned about an active attack path?

CVE-2022-41966: XStream can cause Denial of Service via stack overflow

Impact

Patches

Workarounds

References

For more information

8.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI