High Severity Vulnerability
This vulnerability has been rated as High severity. Immediate action is recommended.
CVE-2024-47072
HighVulnerability Description
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CPUJUL2025
Oracle Critical Patch Update Advisory - July 2025
CPUAPR2025
Oracle Critical Patch Update Advisory - April 2025
CPUJAN2025
Oracle Critical Patch Update Advisory - January 2025
References & Resources
-
https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266security-advisories@github.com
-
https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56qsecurity-advisories@github.com
-
https://x-stream.github.io/CVE-2024-47072.htmlsecurity-advisories@github.com
-
https://lists.debian.org/debian-lts-announce/2024/12/msg00023.htmlaf854a3a-2127-422b-91ae-364da2661108
Severity Details
Weakness Type (CWE)
Stack-based Buffer Overflow
- Description
- A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
- Exploit Likelihood
- High
- Typical Severity
- High
- Abstraction Level
- Variant
Key Information
- Published Date
- November 08, 2024
