CVE-2024-47072

Aliases:GHSA-hfq9-hggm-c56q
Advisory lineage Upstream: 0 Downstream: 11
Deferred
Published: 07 Nov 2024, 23:38
Last modified:03 Nov 2025, 22:19

Vulnerability Summary

Overall Risk (default)
medium
30/100
CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
0.26% LOW
0% probability -0.10%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

07 Nov 2024, 23:38
Published
Vulnerability first disclosed
03 Nov 2025, 22:19
Last Modified
Vulnerability information updated

Description

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.

CVSS Metrics

  • v4.0HIGHScore: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.26% Percentile: 50%

Techniques & Countermeasures

  • CWE-121Stack-based Buffer Overflow

    A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

  • CWE-502Deserialization of Untrusted Data

    The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

  • com.thoughtworks.xstreamxstream

    < 1.4.21

  • x-streamxstream

    < 1.4.21

References (7)