About XStream

XStream is a simple library to serialize objects to XML and back again.


Typical Uses

Known Limitations

If using the enhanced mode, XStream can re-instantiate classes that do not have a default constructor. However, if using a different JVM like an old JRockit version, a JDK 1.4 or you have restrictions because of a SecurityManager, a default constructor is required.

The enhanced mode is also necessary to restore final fields for any JDK < 1.5. This implies deserialization of instances of an inner class.

Auto-detection of annotations may cause race conditions. Preprocessing annotations is safe though.

Getting Started

Latest News

March 15, 2016 XStream 1.4.9 released

Maintenance release 1.4.9 of XStream with bug fixes eliminating XXE vulnerability and new benchmark module.

Several parsers were vulnerable by processing external entities (XXE vulnerability). This has been turned off as far as possible.

The home-grown benchmark module has been replaced using an implementation based on JMH.

XStream supports now java.nio.Path with a specialized converter.

View the complete change log and download.

Note, the next major release 1.5 will require Java 7.

Thanks to this impressive list of contributors.