It was discovered that XStream, a Java library to serialise objects to XML and back again, was suspectible to denial of service during unmarshalling.