GHSA-X57H-XX53-V53W

Vulnerability from github – Published: 2026-03-05 20:45 – Updated: 2026-03-06 22:51
VLAI?
Summary
stellar-xdr's StringM::from_str bypasses max length validation
Details

Impact

StringM::from_str does not validate that the input length is within the declared maximum (MAX). Calling StringM::<N>::from_str(s) where s is longer than N bytes succeeds and returns an Ok value instead of Err(Error::LengthExceedsMax), producing a StringM that violates its length invariant.

This affects any code that constructs StringM values from string input using FromStr (including str::parse), and relies on the type's maximum length constraint being enforced. An oversized StringM could propagate through serialization, validation, or other logic that assumes the invariant holds.

All published versions of the stellar-xdr crate up to and including v25.0.0 are affected.

Patches

The fix is merged in #500. It replaces the direct Ok(Self(b)) construction with b.try_into(), which routes through TryFrom<Vec<u8>> and properly validates the length — matching the pattern already used by BytesM::from_str.

Users should upgrade to the first release containing this fix once published (the next release after v25.0.0).

Workarounds

Validate the byte length of string input before calling StringM::from_str, or construct StringM values via StringM::try_from(s.as_bytes().to_vec()) which correctly enforces the length constraint.

References

  • Issue: https://github.com/stellar/rs-stellar-xdr/issues/499
  • Fix: https://github.com/stellar/rs-stellar-xdr/pull/500
Severity ?
4.0 (Medium)
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 25.0.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "stellar-xdr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "25.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29795"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T20:45:46Z",
    "nvd_published_at": "2026-03-06T21:16:15Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n`StringM::from_str` does not validate that the input length is within the declared maximum (`MAX`). Calling `StringM::\u003cN\u003e::from_str(s)` where `s` is longer than `N` bytes succeeds and returns an `Ok` value instead of `Err(Error::LengthExceedsMax)`, producing a `StringM` that violates its length invariant.\n\nThis affects any code that constructs `StringM` values from string input using `FromStr` (including `str::parse`), and relies on the type\u0027s maximum length constraint being enforced. An oversized `StringM` could propagate through serialization, validation, or other logic that assumes the invariant holds.\n\nAll published versions of the `stellar-xdr` crate up to and including `v25.0.0` are affected.\n\n### Patches\n\nThe fix is merged in [#500](https://github.com/stellar/rs-stellar-xdr/pull/500). It replaces the direct `Ok(Self(b))` construction with `b.try_into()`, which routes through `TryFrom\u003cVec\u003cu8\u003e\u003e` and properly validates the length \u2014 matching the pattern already used by `BytesM::from_str`.\n\nUsers should upgrade to the first release containing this fix once published (the next release after `v25.0.0`).\n\n### Workarounds\n\nValidate the byte length of string input before calling `StringM::from_str`, or construct `StringM` values via `StringM::try_from(s.as_bytes().to_vec())` which correctly enforces the length constraint.\n\n### References\n\n- Issue: https://github.com/stellar/rs-stellar-xdr/issues/499\n- Fix: https://github.com/stellar/rs-stellar-xdr/pull/500",
  "id": "GHSA-x57h-xx53-v53w",
  "modified": "2026-03-06T22:51:52Z",
  "published": "2026-03-05T20:45:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/stellar/rs-stellar-xdr/security/advisories/GHSA-x57h-xx53-v53w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29795"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stellar/rs-stellar-xdr/issues/499"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stellar/rs-stellar-xdr/pull/500"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stellar/rs-stellar-xdr/commit/1f840013c3e2fca0321fb844b048afa01d10dda6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/stellar/rs-stellar-xdr"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "stellar-xdr\u0027s StringM::from_str bypasses max length validation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.