CVE-2026-29795

Name of the Vulnerable Software and Affected Versions stellar-xdr versions prior to 25.0.1

Description The StringM::from str function does not properly validate the length of input strings. When calling StringM::<N>::from str(s) with a string s exceeding the maximum allowed length N, the function incorrectly returns an Ok value instead of an error. This results in the creation of a StringM object that violates its length constraint. This issue impacts code that relies on the maximum length constraint being enforced when constructing StringM values from string input using FromStr, including str::parse. An oversized StringM could potentially propagate through serialization, validation, or other logic that assumes the length invariant is maintained.

Recommendations Upgrade to version 25.0.1 or later. As a workaround, validate the byte length of string input before calling StringM::from str, or construct StringM values via StringM::try from(s.as bytes().to vec()) to correctly enforce the length constraint.