News

November 7, 2024 XStream 1.4.21 released

This maintenance release addresses the security vulnerability CVE-2024-47072, when using the BinaryDriver to unmarshal a manipulated input stream causing a Denial of Service due to a stack overflow.

A new converter fir the WeakHashMap avoids the access to the ReentrantLock introduced with Java 19.

The release contains an optimization for the memory consumption.

View the complete change log and download.

Note, the next major release 1.5 will require Java 11.

December 24, 2022 XStream 1.4.20 released

This maintenance release addresses the security vulnerabilities CVE-2022-40151 and CVE-2022-41966, causing a Denial of Service by raising a stack overflow. It also provides new converters for Optional and Atomic types.

View the complete change log and download.

Note, the next major release 1.5 will require Java 11.

January 29, 2022 XStream 1.4.19 released

This maintenance release addresses the security vulnerability CVE-2021-43859, when unmarshalling highly recursive collections or maps causing a Denial of Service.

View the complete change log and download.

Note, the next major release 1.5 will require Java 8.

August 22, 2021 XStream 1.4.18 released

This maintenance release addresses the security vulnerabilities CVE-2021-39139, CVE-2021-39140, CVE-2021-39141, CVE-2021-39144, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39150, CVE-2021-39151, CVE-2021-39152, CVE-2021-39153, and CVE-2021-39154, when unmarshalling with an XStream instance using the default blacklist of an uninitialized security framework. XStream is therefore now using a whitelist by default.

View the complete change log and download.

Note, the next major release 1.5 will require Java 8.

May 13, 2021 XStream 1.4.17 released

This maintenance release addresses the security vulnerability CVE-2021-29505, when unmarshalling with XStream instances using an uninitialized security framework.

View the complete change log and download.

Note, the next major release 1.5 will require Java 8.

March 13, 2021 XStream 1.4.16 released

This maintenance release switches XStream's default parser and addresses following security vulnerabilities, when unmarshalling with an XStream instances using an uninitialized security framework: CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350, and CVE-2021-21351.

View the complete change log and download.

Note, the next major release 1.5 will require Java 8.

December 13, 2020 XStream 1.4.15 released

This maintenance release addresses the security vulnerabilities CVE-2020-26258 and CVE-2020-26259, when unmarshalling for XStream instances with uninitialized security framework.

View the complete change log and download.

Note, the next major release 1.5 will require Java 8.

November 16, 2020 XStream 1.4.14 released

This maintenance release addresses the security vulnerability CVE-2020-26217, reported originally as CVE-2017-9805 for Struts' XStream Plugin, an arbitrary execution of commands when unmarshalling for XStream instances with uninitialized security framework.

View the complete change log and download.

Note, the next major release 1.5 will require Java 8.

September 6, 2020 XStream 1.4.13 released

This is a simple maintenance release addressing some minor problems by deferring the initialization of some converters that will cause a warning about reflective access and by using an internal black list for the security framework to avoid unintended misconfiguration.

View the complete change log and download.

Note, the next major release 1.5 will require Java 8.

April 12, 2020 XStream 1.4.12 released

This is a simple maintenance release addressing some minor bugs.

Note, the next major release 1.5 will require Java 8.

October 27, 2018 XStream 1.4.11.1 released

Hot fix for XStream 1.4.11: Accidental breakage of Java runtimes < 8.

October 23, 2018 XStream 1.4.11 released

This maintenance release addresses again the security vulnerability CVE-2013-7285, an arbitrary execution of commands when unmarshalling for XStream instances with uninitialized security framework. Only 1.4.10 uninitialized security framework was affected.

New future-proof method JVM.isVersion to detect major version of Java runtime (incl. Java 10) as replacement for individual JVM.isXY methods.

View the complete change log and download.

Note, the next major release 1.5 will require Java 7.

May 23, 2017 XStream 1.4.10 released

This maintenance release addresses the security vulnerability CVE-2017-7957, a possibility for a denial of service attack. All previous versions are affected.

XStream supports now the java.time.* package of Java 8 with various new converters.

Emit warning message if XStream instance is still running with an uninitialized security framework.

Provide separate XStream artifact without stuff for Java 8.

View the complete change log and download.

Note, the next major release 1.5 will require Java 7.

March 15, 2016 XStream 1.4.9 released

Maintenance release 1.4.9 of XStream with bug fixes eliminating XXE vulnerability and new benchmark module.

CVE-2016-3674: Several parsers were vulnerable by processing external entities (XXE vulnerability). This has been turned off as far as possible.

The home-grown benchmark module has been replaced using an implementation based on JMH.

XStream supports now java.nio.Path with a specialized converter.

View the complete change log and download.

Note, the next major release 1.5 will require Java 7.

May 8, 2015 XStream hosted at GitHub

Codehaus has been XStream's home for more than a decade. Now is the time for a new home at GitHub, since Codehaus is shut down within the next few days.

The XStream committers want to thank Codehaus for their marvelous service over all those years.

The mailing lists are consolidated and are located now at Google Groups:

February 18, 2015 XStream 1.4.8 released

Maintenance release 1.4.8 of XStream with bug fixes and improvements running with Java 8.

XStream supports now serializable lambda types for a Java 8 runtime.

View the complete change log and download.

Note, the next major release 1.5 will require Java 6.

February 8, 2014 XStream 1.4.7 released

This maintenance release addresses mainly the security vulnerability CVE-2013-7285, an arbitrary execution of commands when unmarshalling. All previous versions are affected running at least Java 5.

XStream contains now a security framework to fine-control the unmarshalled types.

View the complete change log and download.

December 12, 2013 XStream 1.4.6 released

Maintenance release 1.4.6 of XStream with bug fixes and improvements running with Java 8, in a GAE runtime environment and under an active SecurityManager.

View the complete change log and download.

September 28, 2013 XStream 1.4.5 released

Maintenance release 1.4.5 of XStream with bug fixes and small improvements.

View the complete change log and download.

September 26, 2013 A Decade of XStream

Joe Walnes made his initial commit to the XStream project at Codehaus in 26th September 2003. 10 years passed by and XStream celebrates its 10th birthday!

January 19, 2013 XStream 1.4.4 released

Maintenance release 1.4.4 of XStream with bug fixes and small improvements.

View the complete change log and download.

July 17, 2012 XStream 1.4.3 released

Maintenance release 1.4.3 of XStream with bug fixes and small improvements. Main changes:

View the complete change log and download.

November 3, 2011 XStream 1.4.2 released

Maintenance release 1.4.2 of XStream with bug fixes and small improvements. Main changes:

View the complete change log and download.

August 11, 2011 XStream 1.4.1 released

Maintenance release 1.4.1 of XStream after turning out that it did not work in 1.4 with the new default dependencies. Therefore XStream is back with Xpp3 as default parser and refers additionally the XmlPullParser API to enable the XppDriver that is used by default.

View the complete change log and download.

August 6, 2011 XStream 1.4 released

Finally - XStream 1.4 is ready for delivery. A lot of things have changed and improved, new features added. Nevertheless we have maintain compatibility to the old versions:

View the complete change log and download.

Thanks to this impressive list of contributors.

Note, that with version 1.4 the default parser has been changed from Xpp3 to kXML2.

Note, that JDK 1.3 support has been officially dropped. Nothing special has been done to enforce this, but there is no longer any support.

Note, to support a representation of null values in some way, it is absolutely necessary that each converter can handle a null value in its marshalling methods. If you have implemented your own custom converters, try to handle such a case also to prevent incompatibilities in case XStream will provide such values with its next major version.

December 6, 2008 XStream 1.3.1 released

A new XStream maintenance version has been released. The release contains some bug fixes, some minor enhancements and support of new JDKs:

View the complete change log and download.

Note, that XStream really supports by default now only types of the JDK in use. Especially for CGLIB this means that support of those proxies will have to be explicitly activated first. However, support for CGLIB proxies has been enhanced.

Note, to support a representation of null values in some way, it is absolutely necessary that each converter can handle a null value in its marshalling methods. If you have implemented your own custom converters, try to handle such a case also to prevent incompatibilities in case XStream will provide such values with its next major version.

February 27, 2008 XStream 1.3 released

The XStream committers proudly present XStream 1.3. This release contains some major refactorings concerning Java annotations, improved XML support regarding encoding and character sets, some minor new features, deprecations and a lot of bug fixes:

View the complete change log and download.

Note, to support a representation of null values in some way, it is absolutely necessary that each converter can handle a null value in its marshalling methods. If you have implemented your own custom converters, try to handle such a case also to prevent incompatibilities in case XStream will provide such values with its next major version.

May 24, 2007 XStream 1.2.2 released

A maintenance release of XStream that contains a lot of bug fixes and has some minor highlights:

View the complete change log and download.

Note, that next version of XStream will behave slightly different by default. XStream emits all fields in declaration order like Java serialization. But in contrast to Java it will omit the fields of parent classes last while Java serialization emits them first. This makes it difficult to match a given XML schema that defined inherited types or leads sometimes to obscure initialization problems. However, XStream itself will not be affected by the changed order of elements in the XML, any deserialization of current XML representations will work fine. Anyway we will provide with XStream 1.3 a FieldKeySorter implementation that mimics the old behaviour. In the meanwhile you can enforce the new field sorting by installing the NaturalFieldKeySorter.

November 11, 2006 XStream 1.2.1 released

View the complete change log and download.

Oct 10, 2006Joe Walness announcing new XStream Project Lead

I have been the XStream project lead, since it was open sourced 3 years ago. In that time, it has attracted some excellent developers who have formed the foundations of the user community, made all kinds of significant improvements and pushed out new releases. It's now approaching its 1000th commit.

The development community that has formed around XStream has been outstanding - more than I could ever have imagined. In particular, the following people have invested a lot of time into XStream, both from a technical and social point of view:

Recently I have been turning my attention to other things and XStream has been very much a self sustaining project. I've decided that the project would benefit from have a project lead who can invest a lot more time than I can currently offer.

So, the new XStream project lead will be Jörg Schaible, who along with Mauro Talevi and Guilherme Silveira will carry XStream forward. This has been happening for a long while anyway, it's just none of us ever realised or acknowledged it.

Of course, I'll still be lurking around, helping the transition, having loud mouth opinions and generally annoying people in any way I can... you haven't got rid of me that easily. ;)

I know Jörg, Mauro and Guilherme will be able carry XStream into the next generation (we have a lot of ambitious plans for XStream 2).

I'd also like to thank the 45(!) other contributers to the XStream project, who have all helped make it what it is today. Finally, thanks to Graham Glass, who's Electric XML library formed a lot of the inspiration for XStream.

August 18, 2006 XStream 1.2 released

View the complete change log and download.

January 13, 2006 XStream 1.1.3 released

View the complete change log and download.

April 30, 2005 XStream 1.1.2 released

Most popular feature requests implemented.

View the complete change log and download.

March 7, 2005 XStream 1.1.1 released

View the complete change log and download.

January 15, 2005 XStream 1.1 released

View the complete change log and download.