About XStream

XStream is a simple library to serialize objects to XML and back again.

Features

Typical Uses

Known Limitations

If using the enhanced mode, XStream can re-instantiate classes that do not have a default constructor. However, if using a different JVM like an old JRockit version, a JDK 1.4 or you have restrictions because of a SecurityManager, a default constructor is required.

The enhanced mode is also necessary to restore final fields for any JDK < 1.5. This implies deserialization of instances of an inner class.

Auto-detection of annotations may cause race conditions. Preprocessing annotations is safe though.

Getting Started

Latest News

November 7, 2024 XStream 1.4.21 released

This maintenance release addresses the security vulnerability CVE-2024-47072, when using the BinaryDriver to unmarshal a manipulated input stream causing a Denial of Service due to a stack overflow.

A new converter fir the WeakHashMap avoids the access to the ReentrantLock introduced with Java 19.

The release contains an optimization for the memory consumption.

View the complete change log and download.

Note, the next major release 1.5 will require Java 11.