About XStream

XStream is a simple library to serialize objects to XML and back again.

Features

Typical Uses

Known Limitations

If using the enhanced mode, XStream can re-instantiate classes that do not have a default constructor. However, if using a different JVM like an old JRockit version, a JDK 1.4 or you have restrictions because of a SecurityManager, a default constructor is required.

The enhanced mode is also necessary to restore final fields for any JDK < 1.5. This implies deserialization of instances of an inner class.

Auto-detection of annotations may cause race conditions. Preprocessing annotations is safe though.

Getting Started

Latest News

January 29, 2022 XStream 1.4.19 released

This maintenance release addresses the security vulnerability CVE-2021-43859, when unmarshalling highly recursive collections or maps causing a Denial of Service.

View the complete change log and download.

Note, the next major release 1.5 will require Java 8.