CVE-2024-47072 Overview
CVE-2024-47072 is a stack overflow vulnerability in XStream, a popular Java library for serializing objects to XML and back. When XStream is configured to use the BinaryStreamDriver, a remote attacker can manipulate the processed input stream to trigger a stack overflow error, resulting in a denial of service condition. The vulnerability allows attackers to crash applications by sending specially crafted binary input streams.
Critical Impact
Remote attackers can terminate applications using XStream's BinaryStreamDriver through stack overflow errors, causing denial of service without requiring authentication or user interaction.
Affected Products
- XStream versions prior to 1.4.21
- Applications using XStream with BinaryStreamDriver configuration
- Java applications dependent on vulnerable XStream serialization
Discovery Timeline
- 2024-11-08 - CVE CVE-2024-47072 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-47072
Vulnerability Analysis
This vulnerability is classified under CWE-121 (Stack-based Buffer Overflow). The flaw exists in XStream's BinaryStreamDriver component, which handles binary serialization and deserialization of Java objects. When processing maliciously crafted binary input streams, the library can enter a recursive processing state that exhausts the call stack, leading to a StackOverflowError. This condition is exploitable remotely over the network without requiring any authentication or user interaction, making it accessible to unauthenticated attackers.
The vulnerability specifically affects the binary stream parsing logic where recursive object graph traversal can be manipulated to exceed the JVM's stack depth limits. An attacker can craft a binary payload with deeply nested or circular structures that exploit the deserialization process.
Root Cause
The root cause lies in the BinaryStreamDriver's handling of nested object structures during deserialization. The binary stream format allows specification of object graphs that, when maliciously constructed, cause the parsing logic to recurse indefinitely. Prior to version 1.4.21, XStream lacked proper depth validation and manipulation detection in the binary input stream processing, allowing attackers to craft payloads that trigger unbounded recursion during object reconstruction.
Attack Vector
The attack is network-based and requires no privileges or user interaction. An attacker can exploit this vulnerability by sending a specially crafted binary stream to any application endpoint that deserializes user-controlled input using XStream's BinaryStreamDriver. The attack results in the target JVM throwing a StackOverflowError, causing the application thread (or entire application) to terminate abnormally.
The attack vector involves crafting a binary stream with manipulation patterns designed to trigger excessive recursion in the deserialization process. Since the BinaryStreamDriver processes binary data directly, traditional XML-based sanitization approaches are ineffective against this attack.
Detection Methods for CVE-2024-47072
Indicators of Compromise
- Repeated StackOverflowError exceptions in application logs originating from XStream deserialization
- Abnormal binary stream input patterns with unusually deep nesting structures
- Application crashes or thread terminations coinciding with deserialization operations
- Increased frequency of JVM restarts or service unavailability
Detection Strategies
- Monitor application logs for StackOverflowError exceptions with stack traces involving com.thoughtworks.xstream packages
- Implement input size and complexity validation before passing data to XStream deserialization
- Deploy application performance monitoring to detect unusual memory or stack usage patterns
- Use Web Application Firewalls (WAF) to inspect and limit payload sizes for endpoints accepting binary data
Monitoring Recommendations
- Configure alerting for JVM crashes or abnormal terminations in production environments
- Establish baseline metrics for deserialization operation timing and resource consumption
- Monitor network traffic for anomalous binary payloads targeting XStream-enabled endpoints
- Review dependency scanning results to identify applications using vulnerable XStream versions
How to Mitigate CVE-2024-47072
Immediate Actions Required
- Upgrade XStream to version 1.4.21 or later immediately
- Identify all applications in your environment using XStream with BinaryStreamDriver configuration
- Implement input validation and size limits on endpoints accepting binary serialized data
- Consider temporarily disabling BinaryStreamDriver in favor of other serialization drivers until patching is complete
Patch Information
XStream version 1.4.21 addresses this vulnerability by implementing detection mechanisms for binary input stream manipulation that would cause stack overflow conditions. Instead of allowing unbounded recursion, the patched version raises an InputManipulationException when suspicious patterns are detected. The fix is documented in the GitHub Commit Details. Additional information is available in the GitHub Security Advisory and the X-Stream CVE Analysis.
Workarounds
- If upgrading is not immediately possible, wrap XStream deserialization calls with try-catch blocks that handle StackOverflowError to prevent complete application termination
- Implement rate limiting on endpoints that process binary serialized data
- Use network-level controls to restrict access to vulnerable endpoints
- Consider switching to alternative serialization drivers (XML-based) that are not affected by this specific vulnerability
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
