Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.0
Stellar XDR's StringM from_str bypasses length limit
CVE-2026-29795
GHSA-x57h-xx53-v53w
GHSA-x57h-xx53-v53w
Summary
A bug in Stellar XDR's string handling lets it create oversized strings. This can cause issues if other parts of your code rely on the string being a certain length. To fix this, update to the latest version of Stellar XDR or manually check the length of your strings before creating them.
What to do
- Update stellar-xdr to version 25.0.1.
- Update stellar-crates stellar-xdr to version 25.0.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | stellar-xdr | <= 25.0.0 | 25.0.1 |
| stellar-crates | stellar-xdr | <= 25.0.1 | 25.0.1 |
Original title
stellar-xdr's StringM::from_str bypasses max length validation
Original description
### Impact
`StringM::from_str` does not validate that the input length is within the declared maximum (`MAX`). Calling `StringM::<N>::from_str(s)` where `s` is longer than `N` bytes succeeds and returns an `Ok` value instead of `Err(Error::LengthExceedsMax)`, producing a `StringM` that violates its length invariant.
This affects any code that constructs `StringM` values from string input using `FromStr` (including `str::parse`), and relies on the type's maximum length constraint being enforced. An oversized `StringM` could propagate through serialization, validation, or other logic that assumes the invariant holds.
All published versions of the `stellar-xdr` crate up to and including `v25.0.0` are affected.
### Patches
The fix is merged in [#500](https://github.com/stellar/rs-stellar-xdr/pull/500). It replaces the direct `Ok(Self(b))` construction with `b.try_into()`, which routes through `TryFrom<Vec<u8>>` and properly validates the length — matching the pattern already used by `BytesM::from_str`.
Users should upgrade to the first release containing this fix once published (the next release after `v25.0.0`).
### Workarounds
Validate the byte length of string input before calling `StringM::from_str`, or construct `StringM` values via `StringM::try_from(s.as_bytes().to_vec())` which correctly enforces the length constraint.
### References
- Issue: https://github.com/stellar/rs-stellar-xdr/issues/499
- Fix: https://github.com/stellar/rs-stellar-xdr/pull/500
`StringM::from_str` does not validate that the input length is within the declared maximum (`MAX`). Calling `StringM::<N>::from_str(s)` where `s` is longer than `N` bytes succeeds and returns an `Ok` value instead of `Err(Error::LengthExceedsMax)`, producing a `StringM` that violates its length invariant.
This affects any code that constructs `StringM` values from string input using `FromStr` (including `str::parse`), and relies on the type's maximum length constraint being enforced. An oversized `StringM` could propagate through serialization, validation, or other logic that assumes the invariant holds.
All published versions of the `stellar-xdr` crate up to and including `v25.0.0` are affected.
### Patches
The fix is merged in [#500](https://github.com/stellar/rs-stellar-xdr/pull/500). It replaces the direct `Ok(Self(b))` construction with `b.try_into()`, which routes through `TryFrom<Vec<u8>>` and properly validates the length — matching the pattern already used by `BytesM::from_str`.
Users should upgrade to the first release containing this fix once published (the next release after `v25.0.0`).
### Workarounds
Validate the byte length of string input before calling `StringM::from_str`, or construct `StringM` values via `StringM::try_from(s.as_bytes().to_vec())` which correctly enforces the length constraint.
### References
- Issue: https://github.com/stellar/rs-stellar-xdr/issues/499
- Fix: https://github.com/stellar/rs-stellar-xdr/pull/500
nvd CVSS3.1
4.0
Vulnerability type
CWE-770
Allocation of Resources Without Limits
- https://github.com/advisories/GHSA-x57h-xx53-v53w
- https://github.com/stellar/rs-stellar-xdr/commit/1f840013c3e2fca0321fb844b048afa...
- https://github.com/stellar/rs-stellar-xdr/issues/499
- https://github.com/stellar/rs-stellar-xdr/pull/500
- https://github.com/stellar/rs-stellar-xdr/security/advisories/GHSA-x57h-xx53-v53...
- https://nvd.nist.gov/vuln/detail/CVE-2026-29795
- https://github.com/stellar/rs-stellar-xdr Product
Published: 5 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026