CVE-2026-32129

Name of the Vulnerable Software and Affected Versions soroban-poseidon (affected versions not specified)

Description The soroban-poseidon software provides Poseidon and Poseidon2 cryptographic hash functions for Soroban smart contracts. The Poseidon V1 implementation (PoseidonSponge) is susceptible to hash collisions when handling variable-length inputs without injective padding. Specifically, if the number of inputs provided to the PoseidonSponge function is less than the sponge rate (inputs.len() < T - 1), unused rate positions are implicitly filled with zeros. This allows for trivial hash collisions, where hash([m1, ..., mk]) equals hash([m1, ..., mk, 0]) when the sponge rate is greater than k. This issue impacts any use of PoseidonSponge or poseidon hash where the number of inputs is less than T - 1, such as hashing a single input with T=3. The Poseidon2 implementation (Poseidon2Sponge) is not affected because it encodes the input length in the capacity element. The PoseidonSponge::compute hash function is vulnerable.

Recommendations Upgrade to the next release containing the fix that enforces inputs.len() == RATE in PoseidonSponge::compute hash. If upgrading is not immediately possible, ensure callers always use T = inputs.len() + 1 (full-rate). Alternatively, migrate to Poseidon2Sponge, which is safe for variable-length inputs.