XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
CVE-2021-29505
Score elevated to 9.0 because EPSS predicts 90% probability of exploitation within the next 30 days (top 0.4% of all CVEs). NVD baseline CVSS 7.5 retained for reference. Confidence: see factors.
- High exploitation likelihood — EPSS 78%
A fix is available — apply it.
- CVSS v3
- 7.5
- EG Score
- 9.0(high)
- EPSS
- 99.5%
- KEV
- Not listed
Published
May 28, 2021
Last Modified
May 30, 2025
References (28)
- security-advisories@githubhttps://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f
- security-advisories@githubhttps://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227
- security-advisories@githubhttps://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc
- security-advisories@githubhttps://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E
- security-advisories@githubhttps://lists.debian.org/debian-lts-announce/2021/07/msg00004.html
- security-advisories@githubhttps://lists.fedoraproject.org/archives/list/[email protected]/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
- security-advisories@githubhttps://lists.fedoraproject.org/archives/list/[email protected]/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
- security-advisories@githubhttps://lists.fedoraproject.org/archives/list/[email protected]/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
- security-advisories@githubhttps://security.netapp.com/advisory/ntap-20210708-0007
- security-advisories@githubhttps://www.debian.org/security/2021/dsa-5004
- security-advisories@githubhttps://www.oracle.com/security-alerts/cpuapr2022.html
- security-advisories@githubhttps://www.oracle.com/security-alerts/cpujan2022.html
- security-advisories@githubhttps://www.oracle.com/security-alerts/cpujul2022.html
- security-advisories@githubhttps://www.oracle.com/security-alerts/cpuoct2021.html
- security-advisories@githubhttps://x-stream.github.io/CVE-2021-29505.html
Vendor Advisories for CVE-2021-29505(2)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Patch Availability(3)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| redhat | xstream | 2022-07-07 | redhat |
| redhat | patch | 2021-11-23 | redhat |
| redhat | xstream-0:1.3.1-14.el7_9 | 2021-07-12 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
Maven(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| com.thoughtworks.xstream:xstream | 0.1 ... 1.4.9 (41 versions) | 1.4.17 | — |
Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(5)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
- Red HatRHSA-2021:2683IMPORTANT2021-05-14
RHSA-2021:2683 — Important
- Red HatRHSA-2021:4767IMPORTANT2021-05-14
RHSA-2021:4767 — Important
- Red HatRHSA-2021:4918IMPORTANT2021-05-14
RHSA-2021:4918 — Important
- Red HatRHSA-2022:0297IMPORTANT2021-05-14
RHSA-2022:0297 — Important
- Red HatRHSA-2022:0520IMPORTANT2021-05-14
RHSA-2022:0520 — Important
Data Freshness Timeline
(refreshed 3× in last 7d / 27× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-11 08:25 UTCEPSS rescore
- 2026-07-11 08:25 UTCEPSS rescore
- 2026-07-08 15:12 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-02 16:57 UTCEPSS rescore
- 2026-07-01 02:18 UTCOSV refresh
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-29 14:04 UTCEPSS rescore
- 2026-06-28 04:54 UTCEPSS rescore
- 2026-06-28 04:54 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-21 14:55 UTCEPSS rescore
- 2026-06-21 14:54 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-18 17:51 UTCEPSS rescore
- 2026-06-18 17:51 UTCEPSS rescore
- 2026-06-16 17:51 UTCEPSS rescore
- 2026-06-15 17:46 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
Show 12 moreShow fewer
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-13 04:43 UTCOSV refresh
- 2026-06-10 22:16 UTCEPSS rescore
- 2026-06-10 13:20 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-26 15:52 UTCEG score recompute
- 2026-05-26 15:52 UTCVendor advisory
Publicly available exploits
(2 references)Working exploit code is in the public domain (1 GitHub PoC). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCMyBlackManba/CVE-2021-29505First seen Jun 8, 2021
对CVE-2021-29505进行复现,并分析学了下Xstream反序列化过程
Open source ↗ - Nucleihttp/cves/2021/CVE-2021-29505.yamlFirst seen Jan 1, 2021
XStream <1.4.17 - Remote Code Execution
Open source ↗
Related CVEs(same vendor + same CWE)
Same vendor
10 shownredhat
Same CWE
10 shownCWE-502 · CWE-94
Frequently asked(5)
What is CVE-2021-29505?
When was CVE-2021-29505 disclosed?
Is CVE-2021-29505 actively exploited?
What is the CVSS score of CVE-2021-29505?
How do I remediate CVE-2021-29505?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2021-29505
Is Your Infrastructure Affected by CVE-2021-29505?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.