CVE-2016-3674: XML External Entity (XXE) Vulnerability in XStream.

Affected Versions

XStream is not vulnerable, if the default XML Pull Parser is used (Xpp3 or kXML2), since these parser types do not process XML entities at all.

All versions until and including version 1.4.8 are affected, if they use explicitly one of the following parsers:

XStream's HierarchicalStreamDriver implementations will now explicitly turn off the processing of external entities, but the setting is not respected by all parser implementations. XStream stays therefore vulnerable in future, if one of the following parser implementations is explicitly used:

See FAQ for a matrix explaining some parser behavior.


XStream supports a lot of different XML parsers. Some of those can also process external entities which was enabled by default. An attacker could therefore provide manipulated XML as input to access data on the file system, see XXE Vulnerability.

Steps to Reproduce

An attacker might use external general or parameter entities:

<?xml version="1.0">
  <!DOCTYPE root [
    <!ELEMENT string (#PCDATA)>
    <!ENTITY content SYSTEM "file:/etc/passwd">
<?xml version="1.0">
  <!DOCTYPE root [
    <!ELEMENT string (#PCDATA)>
    <!ENTITY content SYSTEM "file:/etc/passwd">

Use one of the XML documents above, initialize XStream with a vulnerable parser and unmarshal the XML:

XStream xstream = new XStream();
String s = (String)xstream.fromXML(xml);


The vulnerability may allow a remote attacker to retrieve the content of arbitrary files with known locations in a local file system if the Java process has read access.


Use one of the XML Pull Parser implementations.


The vulnerability was discovered and reported by Alexander Klink.