Leigh Mcculloch

**Name of the Vulnerable Software and Affected Versions** stellar-xdr versions prior to 25.0.1 **Description** The `StringM::from str` function does not properly validate the length of input strings. When calling `StringM::<N>::from str(s)` with a string `s` exceeding the maximum allowed length `N`, the function incorrectly returns an `Ok` value instead of an error. This results in the creation of a `StringM` object that violates its length constraint. This issue impacts code that relies on the maximum length constraint being enforced when constructing `StringM` values from string input using `FromStr`, including `str::parse`. An oversized `StringM` could potentially propagate through serialization, validation, or other logic that assumes the length invariant is maintained. **Recommendations** Upgrade to version 25.0.1 or later. As a workaround, validate the byte length of string input before calling `StringM::from str`, or construct `StringM` values via `StringM::try from(s.as bytes().to vec())` to correctly enforce the length constraint.