Change History

Changes are split into following categories:

Full details can be found in GitHub's Issues, filter for the appropriate milestone.

1.4.21

Released November 7, 2024.

This maintenance release addresses the security vulnerability CVE-2024-47072, when using the BinaryDriver to unmarshal a manipulated input stream causing a Denial of Service due to a stack overflow.

Major changes

Minor changes

API changes

Stream compatibility

1.4.20

Released December 24, 2022.

This maintenance release addresses the security vulnerabilities CVE-2022-40151 and CVE-2022-41966, causing a Denial of Service by raising a stack overflow. It also provides new converters for Optional and Atomic types.

Major changes

Minor changes

Stream compatibility

API changes

1.4.19

Released January 29, 2022.

This maintenance release addresses the security vulnerability CVE-2021-43859, when unmarshalling highly recursive collections or maps causing a Denial of Service.

API changes

1.4.18

Released August 22, 2021.

This maintenance release addresses following security vulnerabilities, when unmarshalling with an XStream instance using the default blacklist of an uninitialized security framework. XStream is therefore now using a whitelist by default.

Minor changes

Stream compatibility

Starting with version 1.14.12 nine years ago, XStream contains a Security Framework to implement a black- or whitelist for the allowed types at deserialization time. Until version 1.4.17, XStream kept a default blacklist in order to deny all types of the Java runtime, which are used for all kinds of security attacks, in order to guarantee optimal runtime compatibility for existing users. However, this approach has failed. The last months have shown, that the Java runtime alone contains dozens of types that can be used for an attack, not even looking at the 3rd party libraries on a classpath. The new version of XStream uses therefore now by default a whitelist, which is recommended since nine years. It also has been complaining on the console for a long time about an uninitialized security framework the first time it was run. Anyone who has followed the advice and initialized the security framework for their own scenario can easily update to the new version without any problem. Everyone else will have to do a proper initialization now, otherwise the new version will fail with certainty at deserialization time.

1.4.17

Released May 13, 2021.

This maintenance release addresses the security vulnerability CVE-2021-29505, when unmarshalling with XStream instance using an uninitialized security framework.

Stream compatibility

1.4.16

Released March 13, 2021.

This maintenance release switches XStream's default parser and addresses following security vulnerabilities, when unmarshalling with an XStream instance using an uninitialized security framework.

Major changes

Minor changes

Stream compatibility

Dependencies

The default parser of XStream has changed from the Xpp3Parser in artifact xpp3:xpp3_min to MXParser, a fork of Xpp3 in the artifact io.github.x-stream:mxparser. The Xpp3 is unmaintained for a long time, bugs have been fixed reported more than a decade ago, improvements by other forks have been incorporated and some endless loops have been fixed, that could have been utilized as DoS attack.

XStream has therefore new default dependencies. If you have used XStream with the default driver (i.e. Xpp3), you can still exchange the XStream library for a drop-in replacement, but you will also have to remove the Xpp3 and add the MXParser library instead.

For build time you will have to add the Xpp3 library to your dependencies, if you made explicitly use of the Xpp3 driver. If you did explicitly use a different driver than Xpp3 and had therefore excluded the Xpp3 dependency, you might have to exclude now the new MXParser dependency instead to minimize your dependency list.

1.4.15

Released December 13, 2020.

This maintenance release addresses the security vulnerabilities CVE-2020-26258 and CVE-2020-26259, when unmarshalling with XStream instance using an uninitialized security framework.

Minor changes

Stream compatibility

Delivery

Any XStream release can run with a minimal Java runtime environment of Java 1.4 as long as this environment will process only requested classes of the jar file. Until version 1.4.14 XStream was delivered also as special Java 7 version for Android, because Dalvik scans all classes and fails at classes requiring a higher runtime version. However, this special version will not work in a normal Java 8 environment or higher and was never meant do so.

Unfortunately, this version has to be build always after the standard version due to the build sequence. The latest version in Maven Central however is always the one that has been deployed last independently from the time of publishing. This creates an annoyance now in GitHub for any project using the Dependabot service which creates automated pull requests with updates to the latest XStream version, because it injects now the special Java 7 version that probably breaks these projects.

Users who still require a special version for Java 7 will have to build this artifact now on their own. Users for even older Java environments had always to do so anyway.

1.4.14

Released November 16, 2020.

This maintenance release addresses the security vulnerability CVE-2020-26217, reported originally as CVE-2017-9805 for Struts' XStream Plugin, an arbitrary execution of commands when unmarshalling with XStream instances using an uninitialized security framework.

Stream compatibility

1.4.13

Released September 6, 2020.

Major changes

1.4.12

Released April 12, 2020.

Minor changes

1.4.11.1

Released October 27, 2018.

Hot fix

1.4.11

Released October 23, 2018.

This maintenance release addresses again the security vulnerability CVE-2013-7285, an arbitrary execution of commands when unmarshalling with XStream instances using an uninitialized security framework. Only 1.4.10 uninitialized security framework was affected.

Minor changes

Stream compatibility

API changes

1.4.10

Released May 23, 2017.

This maintenance release addresses also the security vulnerability CVE-2017-7957, used for a Denial of Service attack by crashing the Java runtime.

Major changes

Stream Compatibility

Minor changes

API changes

1.4.9

Released March 15, 2016.

This maintenance release addresses also the security vulnerability CVE-2016-3674, known as XXE vulnerability that can be used to expose arbitrary data from the file system when unmarshalling.

Major changes

Minor changes

API changes

1.4.8

Released February 18, 2015.

Major changes

Minor changes

API changes

1.4.7

Released February 8, 2014.

This maintenance release addresses mainly the security vulnerability CVE-2013-7285, an arbitrary execution of commands when unmarshalling.

Major changes

Minor changes

API changes

1.4.6

Released December 12, 2013.

Major changes

Minor changes

API changes

1.4.5

Released September 18, 2013.

Major changes

Minor changes

API changes

1.4.4

Released January 19, 2013.

Minor changes

API changes

1.4.3

Released July 17, 2012.

Major changes

Minor changes

1.4.2

Released November 3, 2011.

Major changes

Minor changes

API changes

1.4.1

Released August 11, 2011.

Major changes

Minor changes

1.4

Released August 6, 2011.

Major changes

Minor changes

API changes

1.3.1

Released December 6, 2008.

CGLIB support must be explicitly activated now. The decision has been made due to possible problems using an own classloader and because of ongoing complaints about occurring exceptions in the CGLIBEnhancedConverter at XStream initialization although they are caused by incompatible ASM versions on the user's classpath (XSTR-469, XSTR-513 and XSTR-518).

XStream uses some attributes on its own. Until now it was possible to use XStream.aliasAttribute to define a different name. This does still work but is deprecated for system attributes. Use the new call XStream.aliasSystemAttribute for such an alias.

Major changes

Minor changes

API changes

1.3

Released February 27, 2008.

Major changes

Minor changes

API changes

Note, to support a representation of null values in some way, it is absolutely necessary that each converter can handle a null value in its marshalling methods. If you have implemented your own custom converters, try to handle such a case also to prevent incompatibilities in case XStream will provide such values with its next major version.

Version 1.2.2

Released May 24, 2007.

Note, that next version of XStream will behave slightly different by default. XStream emits all fields in declaration order like Java serialization. But in contrast to Java it will omit the fields of parent classes last while Java serialization emits them first. This makes it difficult to match a given XML schema that defined inherited types or leads sometimes to obscure initialization problems. However, XStream itself will not be affected by the changed order of elements in the XML, any deserialization of current XML representations will work fine. Anyway we will provide with XStream 1.3 a FieldKeySorter implementation that mimics the old behaviour. In the meanwhile you can enforce the new field sorting by installing the NaturalFieldKeySorter.

Major changes

Minor changes

API changes

Version 1.2.1

Released November 11, 2006.

Major changes

Minor changes

API changes

Version 1.2

Released August 18, 2006.

Major changes

Technology preview

Minor changes

API changes

Version 1.1.3

Released January 13, 2006.

Major changes

Minor changes

API changes

Version 1.1.2

Released April 30, 2005. Most popular feature requests implemented. Java 5 Enum support. Serialization of JavaBeans using accessors. Aliasing of fields. StAX integration, with namespaces. Improved support on JDK 1.3 and IBM JDK.

Major changes

Minor changes

API changes

Version 1.1.1

Released March 7, 2005. Mostly bugfixes and minor feature enhancements.

Major changes

Minor changes

API changes

Version 1.1

Released January 15, 2005. Focus on support for objects defining custom serialization using the standard Java serialization mechanism.

Major changes

Minor changes

API changes

Version 1.0.2

Released August 7, 2004. Focus on improving the converters bundled with XStream to support a wider range of types.

Major changes

Minor changes

API changes

Version 1.0.1

Released May 30, 2004. Misc features and bugfixes.

Major changes

Minor changes

API changes

Version 1.0

Released May 14, 2004. Focusses on finalizing the API for 1.0 release.

Major changes

Minor changes

API changes

Version 1.0 (release candidate 1)

Released May 9, 2004. Focusses on finalizing the API for 1.0 release.

Major changes

Minor changes

API changes

About XStream version numbers...

Version 0.6

Released May 7, 2004. Focusses on providing full object graph support.

Major changes

Minor changes

API changes

Version 0.6 (release candidate 1)

Released April 19, 2004. Focusses on providing full object graph support.

Major changes

Minor changes

API changes

Version 0.5

Released March 8, 2004. Focussed on performance.

Major changes

Minor changes

API changes

Version 0.4

This version was never publicly released. All changes were made available in 0.5. Focussed on making it easier to create custom converters.

Major changes

Minor changes

API changes

Version 0.3

Released January 1, 2004.

Major changes

Minor changes

API changes

Older versions

Changes in XStream prior to version 0.3 were not logged.