About XStream

XStream is a simple library to serialize objects to XML and back again.


Typical Uses

Known Limitations

If using the enhanced mode, XStream can re-instantiate classes that do not have a default constructor. However, if using a different JVM like an old JRockit version, a JDK 1.4 or you have restrictions because of a SecurityManager, a default constructor is required.

The enhanced mode is also necessary to restore final fields for any JDK < 1.5. This implies deserialization of instances of an inner class.

Auto-detection of annotations may cause race conditions. Preprocessing annotations is safe though.

Getting Started

Latest News

May 23, 2017 XStream 1.4.10 released

This maintenance release addresses the security vulnerability CVE-2017-7957, a possibility for a denial of service attack. All previous versions are affected.

XStream supports now the java.time.* package of Java 8 with various new converters.

Emit warning message if XStream instance is still running with an uninitialized security framework.

Provide separate XStream artifact without stuff for Java 8.

View the complete change log and download.

Note, the next major release 1.5 will require Java 7.

Thanks to this impressive list of contributors.