News
November 7, 2024 XStream 1.4.21 released
This maintenance release addresses the security vulnerability CVE-2024-47072, when using the BinaryDriver to unmarshal a manipulated input stream causing a Denial of Service due to a stack overflow.
A new converter fir the WeakHashMap avoids the access to the ReentrantLock introduced with Java 19.
The release contains an optimization for the memory consumption.
View the complete change log and download.
Note, the next major release 1.5 will require Java 11.
December 24, 2022 XStream 1.4.20 released
This maintenance release addresses the security vulnerabilities CVE-2022-40151 and CVE-2022-41966, causing a Denial of Service by raising a stack overflow. It also provides new converters for Optional and Atomic types.
View the complete change log and download.
Note, the next major release 1.5 will require Java 11.
January 29, 2022 XStream 1.4.19 released
This maintenance release addresses the security vulnerability CVE-2021-43859, when unmarshalling highly recursive collections or maps causing a Denial of Service.
View the complete change log and download.
Note, the next major release 1.5 will require Java 8.
August 22, 2021 XStream 1.4.18 released
This maintenance release addresses the security vulnerabilities CVE-2021-39139, CVE-2021-39140, CVE-2021-39141, CVE-2021-39144, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39150, CVE-2021-39151, CVE-2021-39152, CVE-2021-39153, and CVE-2021-39154, when unmarshalling with an XStream instance using the default blacklist of an uninitialized security framework. XStream is therefore now using a whitelist by default.
View the complete change log and download.
Note, the next major release 1.5 will require Java 8.
May 13, 2021 XStream 1.4.17 released
This maintenance release addresses the security vulnerability CVE-2021-29505, when unmarshalling with XStream instances using an uninitialized security framework.
View the complete change log and download.
Note, the next major release 1.5 will require Java 8.
March 13, 2021 XStream 1.4.16 released
This maintenance release switches XStream's default parser and addresses following security vulnerabilities, when unmarshalling with an XStream instances using an uninitialized security framework: CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350, and CVE-2021-21351.
View the complete change log and download.
Note, the next major release 1.5 will require Java 8.
December 13, 2020 XStream 1.4.15 released
This maintenance release addresses the security vulnerabilities CVE-2020-26258 and CVE-2020-26259, when unmarshalling for XStream instances with uninitialized security framework.
View the complete change log and download.
Note, the next major release 1.5 will require Java 8.
November 16, 2020 XStream 1.4.14 released
This maintenance release addresses the security vulnerability CVE-2020-26217, reported originally as CVE-2017-9805 for Struts' XStream Plugin, an arbitrary execution of commands when unmarshalling for XStream instances with uninitialized security framework.
View the complete change log and download.
Note, the next major release 1.5 will require Java 8.
September 6, 2020 XStream 1.4.13 released
This is a simple maintenance release addressing some minor problems by deferring the initialization of some converters that will cause a warning about reflective access and by using an internal black list for the security framework to avoid unintended misconfiguration.
View the complete change log and download.
Note, the next major release 1.5 will require Java 8.
April 12, 2020 XStream 1.4.12 released
This is a simple maintenance release addressing some minor bugs.
Note, the next major release 1.5 will require Java 8.
October 27, 2018 XStream 1.4.11.1 released
Hot fix for XStream 1.4.11: Accidental breakage of Java runtimes < 8.
October 23, 2018 XStream 1.4.11 released
This maintenance release addresses again the security vulnerability CVE-2013-7285, an arbitrary execution of commands when unmarshalling for XStream instances with uninitialized security framework. Only 1.4.10 uninitialized security framework was affected.
New future-proof method JVM.isVersion to detect major version of Java runtime (incl. Java 10) as replacement for individual JVM.isXY methods.
View the complete change log and download.
Note, the next major release 1.5 will require Java 7.
May 23, 2017 XStream 1.4.10 released
This maintenance release addresses the security vulnerability CVE-2017-7957, a possibility for a denial of service attack. All previous versions are affected.
XStream supports now the java.time.* package of Java 8 with various new converters.
Emit warning message if XStream instance is still running with an uninitialized security framework.
Provide separate XStream artifact without stuff for Java 8.
View the complete change log and download.
Note, the next major release 1.5 will require Java 7.
March 15, 2016 XStream 1.4.9 released
Maintenance release 1.4.9 of XStream with bug fixes eliminating XXE vulnerability and new benchmark module.
CVE-2016-3674: Several parsers were vulnerable by processing external entities (XXE vulnerability). This has been turned off as far as possible.
The home-grown benchmark module has been replaced using an implementation based on JMH.
XStream supports now java.nio.Path with a specialized converter.
View the complete change log and download.
Note, the next major release 1.5 will require Java 7.
May 8, 2015 XStream hosted at GitHub
Codehaus has been XStream's home for more than a decade. Now is the time for a new home at GitHub, since Codehaus is shut down within the next few days.
The XStream committers want to thank Codehaus for their marvelous service over all those years.
The mailing lists are consolidated and are located now at Google Groups:
- User's list (xstream-user): For users and developers asking questions about XStream usage, enhancements and improvements for implementation details.
- Notification list (xstream-notifications): All kind of notifications like announcements, commits, and build server status.
February 18, 2015 XStream 1.4.8 released
Maintenance release 1.4.8 of XStream with bug fixes and improvements running with Java 8.
XStream supports now serializable lambda types for a Java 8 runtime.
View the complete change log and download.
Note, the next major release 1.5 will require Java 6.
February 8, 2014 XStream 1.4.7 released
This maintenance release addresses mainly the security vulnerability CVE-2013-7285, an arbitrary execution of commands when unmarshalling. All previous versions are affected running at least Java 5.
XStream contains now a security framework to fine-control the unmarshalled types.
View the complete change log and download.
December 12, 2013 XStream 1.4.6 released
Maintenance release 1.4.6 of XStream with bug fixes and improvements running with Java 8, in a GAE runtime environment and under an active SecurityManager.
View the complete change log and download.
September 28, 2013 XStream 1.4.5 released
Maintenance release 1.4.5 of XStream with bug fixes and small improvements.
- Allow unknown XML elements to be ignored using new method XStream.ignoreUnknownElements.
- Support for JDOM2 with JDom2Driver, JDom2Reader and JDom2Writer.
- Optimized XML structure for java.awt.Font.
- Referencing implementation for the ClassLoader to support environments where no new ClassLoader can be instantiated due to security restrictions.
View the complete change log and download.
September 26, 2013 A Decade of XStream
Joe Walnes made his initial commit to the XStream project at Codehaus in 26th September 2003. 10 years passed by and XStream celebrates its 10th birthday!
January 19, 2013 XStream 1.4.4 released
Maintenance release 1.4.4 of XStream with bug fixes and small improvements.
- DateConverter supports now localized formats.
View the complete change log and download.
July 17, 2012 XStream 1.4.3 released
Maintenance release 1.4.3 of XStream with bug fixes and small improvements. Main changes:
- Support java.util.concurrent.ConcurrentHashMap with the MapConverter.
- Support for Hibernate 4 with XStream's Hibernate module as default for Java 6 or higher.
View the complete change log and download.
November 3, 2011 XStream 1.4.2 released
Maintenance release 1.4.2 of XStream with bug fixes and small improvements. Main changes:
- XStream libraries can be used now directly in Android, therefore support of Java 1.4.2 has been stopped with the delivery. Anyone who needs a version for Java 1.4.2 can build it easily from source, this build is still supported and part of CI.
- New extended HierarchicalStreamReader interface with peekNextChild method. All XStream readers implement the new interface (by Nikita Levyankov).
- Special support for Collections.EMPTY_LIST, Collections.EMPTY_SET and Collections.EMPTY_MAP and collections created with Collections.singletonList(), Collections.singletonSet() and Collections.singletonMap().
- Support additional parameters for XStreamConverter annotation (e.g. to declare a ToAttributedValueConverter).
View the complete change log and download.
August 11, 2011 XStream 1.4.1 released
Maintenance release 1.4.1 of XStream after turning out that it did not work in 1.4 with the new default dependencies. Therefore XStream is back with Xpp3 as default parser and refers additionally the XmlPullParser API to enable the XppDriver that is used by default.
View the complete change log and download.
August 6, 2011 XStream 1.4 released
Finally - XStream 1.4 is ready for delivery. A lot of things have changed and improved, new features added. Nevertheless we have maintain compatibility to the old versions:
- Detection of Java 7 and Android i.e. enabled enhanced mode and annotations for both environments out of the box
- Direct support of XmlPullParser factory and alternate kXML2 implementation
- Explicit drivers to select the StAX implementation
- New separate Hibernate module to support those managed instances (special thanks to Jaime Metcher)
- Support of implicit arrays and maps additionally to already existing implicit collection support
- Performance improvements (special thanks to Keith Kowalczykowski)
- Some new converters (for URI and one to write all fields but one as attributes)
- A lot of other enhancements and bug fixes
View the complete change log and download.
Thanks to this impressive list of contributors.
Note, that with version 1.4 the default parser has been changed from Xpp3 to kXML2.
Note, that JDK 1.3 support has been officially dropped. Nothing special has been done to enforce this, but there is no longer any support.
Note, to support a representation of null values in some way, it is absolutely necessary that each converter can handle a null value in its marshalling methods. If you have implemented your own custom converters, try to handle such a case also to prevent incompatibilities in case XStream will provide such values with its next major version.
December 6, 2008 XStream 1.3.1 released
A new XStream maintenance version has been released. The release contains some bug fixes, some minor enhancements and support of new JDKs:
- Ability to alias package names
- Converters are only registered by default for types delivered with the JDK in use preventing unexpected incompatibilities
- Separation between user defined attributes and XStream attributes
- New mode for JSONWriter to drop JSON root node
- Support for FreeBSD's Diablo JDK.
- Enhanced persistence package and extended tutorial.
View the complete change log and download.
Note, that XStream really supports by default now only types of the JDK in use. Especially for CGLIB this means that support of those proxies will have to be explicitly activated first. However, support for CGLIB proxies has been enhanced.
Note, to support a representation of null values in some way, it is absolutely necessary that each converter can handle a null value in its marshalling methods. If you have implemented your own custom converters, try to handle such a case also to prevent incompatibilities in case XStream will provide such values with its next major version.
February 27, 2008 XStream 1.3 released
The XStream committers proudly present XStream 1.3. This release contains some major refactorings concerning Java annotations, improved XML support regarding encoding and character sets, some minor new features, deprecations and a lot of bug fixes:
- Annotation support is now implemented as Mapper and Annotations can either be processed in advance or on-the-fly (see Annotations tutorial for limitations).
- Improved encoding support for JSON and XML (including automated support for XML headers). Enforceable check for valid XML characters in the written stream.
- Dedicated converters can now be configured for individual fields also using the XStream facade.
- New converters for java.lang.StringBuilder, java.util.UUID, javax.xml.datatype.Duration, and javax.swing.LookAndFeel. New generic converter for types using a java.beans.PropertyEditor. Auto-instantiated SingleValueConverter for Java enums to support enum values as attributes.
- XML elements are now sorted by default according their declaration with the fields defined in parent classes first to improve support for type hierarchies in XML schemata.
- A lot of bug fixes to improve JSON support for arbitrary types. Added section in FAQ for limitations and operation modes.
- Native support for SAP VM.
- All text-based files are now shipped with an appropriate license header to clean-up legal issues.
View the complete change log and download.
Note, to support a representation of null values in some way, it is absolutely necessary that each converter can handle a null value in its marshalling methods. If you have implemented your own custom converters, try to handle such a case also to prevent incompatibilities in case XStream will provide such values with its next major version.
May 24, 2007 XStream 1.2.2 released
A maintenance release of XStream that contains a lot of bug fixes and has some minor highlights:
- JSON serialization and deserialization support with the help of the new JettisonMappedXmlDriver
- Supports customized field sorting
- Omitting fields at deserialization time
View the complete change log and download.
Note, that next version of XStream will behave slightly different by default. XStream emits all fields in declaration order like Java serialization. But in contrast to Java it will omit the fields of parent classes last while Java serialization emits them first. This makes it difficult to match a given XML schema that defined inherited types or leads sometimes to obscure initialization problems. However, XStream itself will not be affected by the changed order of elements in the XML, any deserialization of current XML representations will work fine. Anyway we will provide with XStream 1.3 a FieldKeySorter implementation that mimics the old behaviour. In the meanwhile you can enforce the new field sorting by installing the NaturalFieldKeySorter.
November 11, 2006 XStream 1.2.1 released
- Introduced DocumentWriter interface and generalized functionality for all writer implementations creating a DOM structure (DOM4J, DOM, JDom, Xom, Xpp3Dom).
- Refactor of build system to use Maven 2. Ant still supported on XStream Core.
- Created separate XStream Benchmark module
View the complete change log and download.
Oct 10, 2006Joe Walness announcing new XStream Project Lead
I have been the XStream project lead, since it was open sourced 3 years ago. In that time, it has attracted some excellent developers who have formed the foundations of the user community, made all kinds of significant improvements and pushed out new releases. It's now approaching its 1000th commit.
The development community that has formed around XStream has been outstanding - more than I could ever have imagined. In particular, the following people have invested a lot of time into XStream, both from a technical and social point of view:
- Jörg Schaible
- Mauro Talevi
- Guilherme Silveira
- Jason van Zyl
- Me (well I have!)
Recently I have been turning my attention to other things and XStream has been very much a self sustaining project. I've decided that the project would benefit from have a project lead who can invest a lot more time than I can currently offer.
So, the new XStream project lead will be Jörg Schaible, who along with Mauro Talevi and Guilherme Silveira will carry XStream forward. This has been happening for a long while anyway, it's just none of us ever realised or acknowledged it.
Of course, I'll still be lurking around, helping the transition, having loud mouth opinions and generally annoying people in any way I can... you haven't got rid of me that easily. ;)
I know Jörg, Mauro and Guilherme will be able carry XStream into the next generation (we have a lot of ambitious plans for XStream 2).
I'd also like to thank the 45(!) other contributers to the XStream project, who have all helped make it what it is today. Finally, thanks to Graham Glass, who's Electric XML library formed a lot of the inspiration for XStream.
August 18, 2006 XStream 1.2 released
- Using attributes for fields (contributed by Paul Hammant and Ian Cartwright).
- Aliasing of arbitrary attributes.
- XStream can now serialize another XStream instance.
- XStream has now the XStreamer, that serializes an object together with its XStream instance.
- AnnotationConverter for fields (contributed by Guilherme Silveira).
- PureJavaReflectionProvider supports now final fields starting with JDK 1.5
- Any Collection type can now be declared implicit, the default implementation will be respected for unmarshalling.
- XStream can now write all references as absolute XPath expression.
- New SingeValueConverter allows light weight converters if the value can be represented by a unique string.
- Aliasing of classes of a specific type.
- Support for certain types of proxies generated with the CGLIB Enhancer.
- Support for BEA JRockit starting with R25.1.0 (contributed by Henrik Ståhl of BEA).
- Experimental binary reader and writer.
- Experimental HierarichicalStreamCopier allows streams to be copied from one format to another without the overhead of serialization.
- Experimental JSON support allows streams to be copied from one format to another without the overhead of serialization (contributed by Paul Hammant).
View the complete change log and download.
January 13, 2006 XStream 1.1.3 released
- Added XStream.toXML(OutputStream) and XStream.fromXML(InputStream).
- Ability to prevent fields from being serialized by calling XStream.omitField() or by implementing Mapper.shouldSerializeMember().
- Added Converter for Enum, EnumMap and EnumSet
- Added BeanConverter and ISO8601SqlTimestampConverter
- Fixed support for IBM JVM (contributed by Gabor Liptak)
- Enhanced mode support for Blackdown JDK.
View the complete change log and download.
April 30, 2005 XStream 1.1.2 released
Most popular feature requests implemented.
- Java 5 Enum support.
- JavaBeanConverter for serialization using getters and setters.
- Aliasing of fields.
- StAX integration, with namespaces.
- Improved support on JDK 1.3 and IBM JDK.
View the complete change log and download.
March 7, 2005 XStream 1.1.1 released
- Converters can be registered with a priority, allowing more generic filters to handle classes that don't have more specific converters.
- Converters can now access underlying HierarchicalStreamReader/Writer implementations to make implementation specific calls.
- Improved support for classes using ObjectInputFields and ObjectInputValidation to follow the serialization specification.
- Default ClassLoader may be changed using XStream.setClassLoader().
- Many bugfixes and performance enhancements.
View the complete change log and download.
January 15, 2005 XStream 1.1 released
- Improved support for serializing objects as per the Java Serialization Specification:
- Calls custom serialization methods, readObject(), writeObject(), readResolve() and writeReplace() in class, if defined.
- Supports ObjectInputStream.getFields() and ObjectOutputStream.putFields() in custom serialization.
- Provides implementations of ObjectInputStream and ObjectOutputStream, allowing drop in replacements for standard serialization, including support for streams of objects. [More...]
- Reads and writes directly to most XML Java APIs: DOM, DOM4J, JDOM, XOM, Electric XML, StAX, Trax (write only), SAX (write only). [More...]
View the complete change log and download.