Seal Security

CVE-2017-7957

Denial of service in XStream

XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

7.5

Score Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Versions

com.thoughtworks.xstream:xstream < 1.4.10

Severity

High

Ecosystem

Publish Date

June 30, 2020

Modified Date

May 23, 2025