About XStream

XStream is a simple library to serialize objects to XML and back again.


Typical Uses

Known Limitations

If using the enhanced mode, XStream can re-instantiate classes that do not have a default constructor. However, if using a different JVM like an old JRockit version, a JDK 1.4 or you have restrictions because of a SecurityManager, a default constructor is required.

The enhanced mode is also necessary to restore final fields for any JDK < 1.5. This implies deserialization of instances of an inner class.

Auto-detection of annotations may cause race conditions. Preprocessing annotations is safe though.

Getting Started

Latest News

February 8, 2014 XStream 1.4.7 released

This maintenance release addresses mainly the security vulnerability CVE-2013-7285, an arbitrary execution of commands when unmarshalling. All previous versions are affected running at least Java 5.

XStream contains now a security framework to fine-control the unmarshalled types.

View the complete change log and download.

Note, the next major release 1.5 will require Java 6.

Thanks to this impressive list of contributors.