It was discovered that XStream, a Java library to serialize objects to XML and back again, was susceptible to XML External Entity attacks.