CVE-2021-43859 Overview
CVE-2021-43859 is a denial of service vulnerability in XStream, an open source Java library used to serialize objects to XML and back again. This vulnerability affects versions prior to 1.4.19 and allows remote attackers to allocate 100% CPU time on target systems by manipulating processed input streams containing highly recursive collections or maps. The attack exploits the library's handling of nested data structures during deserialization, causing excessive processing time that can render systems unresponsive.
Critical Impact
Remote attackers can cause complete denial of service by sending specially crafted XML or JSON payloads containing recursive collections, consuming all available CPU resources without requiring authentication.
Affected Products
- XStream versions prior to 1.4.19
- Jenkins (all versions using vulnerable XStream)
- Fedora 34 and 35
- Debian Linux 9.0
- Oracle Commerce Guided Search 11.3.2
- Oracle Communications BRM - Elastic Charging Engine
- Oracle Communications Cloud Native Core Automated Test Suite 1.9.0
- Oracle Communications Diameter Intelligence Hub
- Oracle Communications Policy Management 12.6.0.0.0
- Oracle FlexCube Private Banking 12.1.0
- Oracle Retail XStore Point of Service (versions 16.0.6, 17.0.4, 18.0.3, 19.0.2, 20.0.1)
Discovery Timeline
- 2022-02-01 - CVE-2021-43859 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2021-43859
Vulnerability Analysis
This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption). The flaw exists in how XStream processes deeply nested or recursive collection structures during deserialization. When unmarshalling XML or JSON input containing highly recursive collections or maps, the library fails to impose adequate limits on processing time and resource consumption.
An attacker can craft malicious input that exploits this behavior to trigger algorithmic complexity attacks. The nested structure causes exponential growth in processing time, effectively creating a CPU exhaustion scenario. Depending on the target system's CPU type or the parallel execution of such payloads, the attack can completely saturate processing resources.
The vulnerability is particularly dangerous because XStream supports multiple data formats beyond XML, including JSON, meaning the same attack vectors can be leveraged through different input mechanisms.
Root Cause
The root cause of CVE-2021-43859 lies in the absence of time-based monitoring and limits during collection element processing. Prior to version 1.4.19, XStream did not track the cumulative time spent adding elements to collections during deserialization. This allowed malicious input with deeply recursive structures to consume unbounded CPU time.
The fix introduces monitoring capabilities through new API additions including XStream.COLLECTION_UPDATE_LIMIT, XStream.COLLECTION_UPDATE_SECONDS, and setCollectionUpdateLimit(int) methods. These changes allow the library to track processing time and throw an InputManipulationException when a configurable threshold is exceeded.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending a specially crafted XML or JSON payload to any application endpoint that processes untrusted input using a vulnerable XStream version. The malicious payload contains highly recursive collection or map structures designed to maximize processing time.
// Security patch changes from XStream 1.4.19 release notes
// Source: https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846
<p class="highlight">This maintenance release addresses the security vulnerability
<a href="CVE-2021-43859.html">CVE-2021-43859</a>, when unmarshalling highly recursive collections or maps causing a
Denial of Service.</p>
<h2>API changes</h2>
<ul>
<li>Added c.t.x.XStream.COLLECTION_UPDATE_LIMIT and c.t.x.XStream.COLLECTION_UPDATE_SECONDS.</li>
<li>Added c.t.x.XStream.setCollectionUpdateLimit(int).</li>
<li>Added c.t.x.core.SecurityUtils.</li>
<li>Added c.t.x.security.AbstractSecurityException and c.t.x.security.InputManipulationException.</li>
<li>c.t.x.security.InputManipulationException derives now from c.t.x.security.AbstractSecurityException.</li>
</ul>
Source: GitHub XStream Commit
Detection Methods for CVE-2021-43859
Indicators of Compromise
- Abnormally high CPU utilization on application servers processing XML/JSON input
- Unresponsive application threads blocked in XStream deserialization operations
- Memory consumption spikes correlated with incoming serialization requests
- Application logs showing repeated deserialization operations without completion
Detection Strategies
- Monitor for incoming XML or JSON payloads with excessive nesting depth or recursive reference patterns
- Implement application performance monitoring to detect sudden CPU spikes during request processing
- Review application dependencies using software composition analysis (SCA) tools to identify vulnerable XStream versions
- Configure network intrusion detection systems to flag anomalously large or deeply nested serialized payloads
Monitoring Recommendations
- Deploy resource utilization alerts for Java application servers with thresholds for CPU usage above 90% sustained over 30 seconds
- Implement request timeout monitoring to detect requests that exceed normal processing durations
- Enable thread dump analysis to identify threads stuck in XStream-related stack traces
- Monitor for InputManipulationException occurrences after upgrading to patched versions as these may indicate ongoing attack attempts
How to Mitigate CVE-2021-43859
Immediate Actions Required
- Upgrade XStream to version 1.4.19 or later immediately
- Audit all applications and dependencies for XStream usage using software composition analysis tools
- Implement request timeouts at the application gateway level to limit exposure
- If immediate upgrade is not possible, enable NO_REFERENCE mode as a temporary workaround
Patch Information
The fix is available in XStream version 1.4.19 and later. The patch introduces time-based monitoring that tracks how long elements take to be added to collections during deserialization. When the accumulated time exceeds a configurable threshold, the library throws an InputManipulationException to prevent resource exhaustion.
For detailed patch information, refer to the XStream CVE-2021-43859 Advisory and the GitHub Security Advisory GHSA-rmr5-cpv2-vgjf.
Oracle products affected by this vulnerability should apply patches from the Oracle April 2022 Critical Patch Update and Oracle July 2022 Critical Patch Update.
Workarounds
- Set NO_REFERENCE mode to prevent recursion if upgrading is not immediately possible
- Implement input validation to reject payloads exceeding reasonable size or nesting depth limits
- Configure web application firewalls to filter requests with suspicious recursive patterns
- Apply network-level rate limiting to endpoints that process XStream serialization
# Configuration example for setting NO_REFERENCE mode as a temporary workaround
# Add to your XStream initialization code:
# xstream.setMode(XStream.NO_REFERENCES);
# For Maven projects, update pom.xml to use patched version:
# <dependency>
# <groupId>com.thoughtworks.xstream</groupId>
# <artifactId>xstream</artifactId>
# <version>1.4.19</version>
# </dependency>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
