CVE-2022-40151
denial of service vulnerability in xstream (Maven)
What is CVE-2022-40151 About?
This vulnerability allows a remote attacker to terminate an application with a stack overflow error by manipulating the processed input stream. This results in a denial of service. Exploitation is possible by sending a specially crafted input that triggers excessive recursion during processing.
Affected Software
Technical Details
The vulnerability lies in XStream versions prior to 1.4.20, specifically in how it processes certain manipulated input streams. An attacker can craft an input stream that, when unmarshalled, causes XStream to enter into an uncontrolled recursive processing loop. This excessive recursion consumes significant stack memory, leading to a stack overflow error that terminates the application. This effectively renders the service unavailable. XStream 1.4.20 addresses this by handling the stack overflow and instead raising an InputManipulationException, preventing the application from crashing entirely.
What is the Impact of CVE-2022-40151?
Successful exploitation may allow attackers to cause a denial of service by terminating the application via a stack overflow, making the service unavailable to legitimate users.
What is the Exploitability of CVE-2022-40151?
Exploitation complexity is moderate, requiring the attacker to craft a specific, deep, or recursively structured input stream that triggers the stack overflow. No specific authentication is explicitly mentioned, suggesting it can be exploited remotely if the input processing endpoint is publicly accessible. This is a remote vulnerability. The attacker does not require elevated privileges; the impact is a denial of service of the application itself. The main risk factor is using XStream versions prior to 1.4.20 without implementing client-side code to catch StackOverflowError exceptions during XStream calls.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-40151?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.20 → Upgrade to 1.4.20
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-40151
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367
- https://github.com/x-stream/xstream/issues/304
- https://osv.dev/vulnerability/GHSA-f8cc-g7j8-xxpm
- https://github.com/x-stream/xstream/security/advisories/GHSA-f8cc-g7j8-xxpm
- https://github.com/x-stream/xstream/issues/304
- https://github.com/x-stream/xstream
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367
- https://github.com/x-stream/xstream/issues/314
- https://x-stream.github.io/CVE-2022-40151.html
What are Similar Vulnerabilities to CVE-2022-40151?
Similar Vulnerabilities: CVE-2013-4100 , CVE-2018-1000877 , CVE-2019-14264 , CVE-2020-13936 , CVE-2021-39149
