About XStream

XStream is a simple library to serialize objects to XML and back again.

Features

Typical Uses

Known Limitations

If using the enhanced mode, XStream can re-instantiate classes that do not have a default constructor. However, if using a different JVM like an old JRockit version, a JDK 1.4 or you have restrictions because of a SecurityManager, a default constructor is required.

The enhanced mode is also necessary to restore final fields for any JDK < 1.5. This implies deserialization of instances of an inner class.

Auto-detection of annotations may cause race conditions. Preprocessing annotations is safe though.

Getting Started

Latest News

October 27, 2018 XStream 1.4.11.1 released

Hot fix for XStream 1.4.11: Accidental breakage of Java runtimes %lt; 8.

This maintenance release addresses again the security vulnerability CVE-2013-7285, an arbitrary execution of commands when unmarshalling for XStream instances with uninitialized security framework. Only 1.4.10 with uninitialized security framework was affected.

New future-proof method JVM.isVersion to detect major version of Java runtime (incl. Java 10) as replacement for individual JVM.isXY methods.

View the complete change log and download.

Note, the next major release 1.5 will require Java 7.

Thanks to this impressive list of contributors.