CVE-2021-29505 | XStream is vulnerable to a Remote Command Execution attack

XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.

Published: 2021-05-28 Last update: 2025-05-30 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2021-29505 is rated Moderate Risk (64.4/100): CVSS High severity, with high exploitation likelihood (EPSS 90.35%, 100th percentile). EPSS ranks this CVE among the most likely to be exploited in the near term. High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2021-29505

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-05-11 90.77% 90.35% -0.42%
2 2026-01-13 90.35% 90.77% +0.42%
3 2025-11-30 90.35%

Full EPSS history (37 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2021-29505

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 3.1 HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.6 5.9 [email protected]
8.8 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 2.8 5.9 [email protected]
6.5 2.0 MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:S)
A single authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 8.0 6.4 [email protected]

Weakness enumeration for CVE-2021-29505

GitHub Security Advisory for CVE-2021-29505

GHSA-7chv-rrw6-w6fc · Severity: high · Ecosystem: maven — XStream is vulnerable to a Remote Command Execution attack

OS Trackers for CVE-2021-29505

vendor priority summary link
debian not yet assigned CVE-2021-29505 not yet assigned priority: Debian including 1 source packages (libxstream-java), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2021-29505
redhat high https://access.redhat.com/security/cve/CVE-2021-29505
suse high CVE-2021-29505 severity important: SUSE including 247 source package names (5.0.0-beta1.2.122:xstream-1.4.17-3.11.2, 5.1.0.6.40:xstream-1.4.17-3.11.2, …), 280 product×package rows across 32 product lines (Container suse/manager/5.0/x86_64/server, Container suse/multi-linux-manager/5.1/x86_64/server, … (32 product lines)): Known Affected 231, Fixed 49. https://www.suse.com/security/cve/CVE-2021-29505/
ubuntu medium CVE-2021-29505 medium priority: Ubuntu including 1 source packages (libxstream-java), 16 status rows across 16 suites (bionic, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 8, ignored 3, needed 3, needs-triage 2. https://ubuntu.com/security/CVE-2021-29505

Affected software / configurations for CVE-2021-29505

Vendor Product Version Raw CPE
xstream xstream < 1.4.17 cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*
debian debian_linux 9.0 cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
debian debian_linux 10.0 cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
debian debian_linux 11.0 cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
fedoraproject fedora 33 cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
fedoraproject fedora 34 cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
fedoraproject fedora 35 cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
netapp snapmanager cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*
netapp snapmanager cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*
oracle banking_cash_management 14.2 cpe:2.3:a:oracle:banking_cash_management:14.2:*:*:*:*:*:*:*
oracle banking_cash_management 14.3 cpe:2.3:a:oracle:banking_cash_management:14.3:*:*:*:*:*:*:*
oracle banking_cash_management 14.5 cpe:2.3:a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:*
oracle banking_corporate_lending_process_management 14.2.0 cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*
oracle banking_corporate_lending_process_management 14.3.0 cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
oracle banking_corporate_lending_process_management 14.5.0 cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*
oracle banking_credit_facilities_process_management 14.2.0 cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*
oracle banking_credit_facilities_process_management 14.3.0 cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
oracle banking_credit_facilities_process_management 14.5.0 cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*
oracle banking_supply_chain_finance 14.2.0 cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:*
oracle banking_trade_finance_process_management 14.5.0 cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*
oracle business_activity_monitoring 11.1.1.9.0 cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:*
oracle business_activity_monitoring 12.2.1.3.0 cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:*
oracle business_activity_monitoring 12.2.1.4.0 cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*
oracle communications_brm_-_elastic_charging_engine 11.3 cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:11.3:*:*:*:*:*:*:*
oracle communications_brm_-_elastic_charging_engine 12.0 cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0:*:*:*:*:*:*:*
oracle communications_unified_inventory_management 7.3.4 cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*
oracle communications_unified_inventory_management 7.3.5 cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*
oracle communications_unified_inventory_management 7.4.0 cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
oracle communications_unified_inventory_management 7.4.1 cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*
oracle communications_unified_inventory_management 7.4.2 cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*
oracle enterprise_manager_ops_center 12.4.0.0 cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
oracle retail_customer_insights 15.0.2 cpe:2.3:a:oracle:retail_customer_insights:15.0.2:*:*:*:*:*:*:*
oracle retail_customer_insights 16.0.2 cpe:2.3:a:oracle:retail_customer_insights:16.0.2:*:*:*:*:*:*:*
oracle retail_xstore_point_of_service 16.0.6 cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
oracle retail_xstore_point_of_service 17.0.4 cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
oracle retail_xstore_point_of_service 18.0.3 cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
oracle retail_xstore_point_of_service 19.0.2 cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*
oracle retail_xstore_point_of_service 20.0.1 cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*
oracle webcenter_portal 12.2.1.3.0 cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
oracle webcenter_portal 12.2.1.4.0 cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
oracle webcenter_sites 12.2.1.3.0 cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
oracle webcenter_sites 12.2.1.4.0 cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*

References for CVE-2021-29505

URL Tags
https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f Patch Third Party Advisory
https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227
https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc Third Party Advisory
https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
https://lists.fedoraproject.org/archives/list/[email protected]/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
https://lists.fedoraproject.org/archives/list/[email protected]/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
https://security.netapp.com/advisory/ntap-20210708-0007
https://www.debian.org/security/2021/dsa-5004 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Mailing List Third Party Advisory
https://x-stream.github.io/CVE-2021-29505.html
https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E Issue Tracking Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ Mailing List
https://security.netapp.com/advisory/ntap-20210708-0007/ Third Party Advisory
cvelogic Threat Intelligence