Publish GHSA-x57h-xx53-v53w

advisory-database[bot] · advisory-database[bot] · commit ddafde17d2fe · 2026-03-05T20:47:52.000Z
diff --git a/advisories/github-reviewed/2026/03/GHSA-x57h-xx53-v53w/GHSA-x57h-xx53-v53w.json b/advisories/github-reviewed/2026/03/GHSA-x57h-xx53-v53w/GHSA-x57h-xx53-v53w.json
@@ -0,0 +1,70 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-x57h-xx53-v53w",
+  "modified": "2026-03-05T20:45:46Z",
+  "published": "2026-03-05T20:45:46Z",
+  "aliases": [],
+  "summary": "stellar-xdr's StringM::from_str bypasses max length validation",
+  "details": "### Impact\n\n`StringM::from_str` does not validate that the input length is within the declared maximum (`MAX`). Calling `StringM::<N>::from_str(s)` where `s` is longer than `N` bytes succeeds and returns an `Ok` value instead of `Err(Error::LengthExceedsMax)`, producing a `StringM` that violates its length invariant.\n\nThis affects any code that constructs `StringM` values from string input using `FromStr` (including `str::parse`), and relies on the type's maximum length constraint being enforced. An oversized `StringM` could propagate through serialization, validation, or other logic that assumes the invariant holds.\n\nAll published versions of the `stellar-xdr` crate up to and including `v25.0.0` are affected.\n\n### Patches\n\nThe fix is merged in [#500](https://github.com/stellar/rs-stellar-xdr/pull/500). It replaces the direct `Ok(Self(b))` construction with `b.try_into()`, which routes through `TryFrom<Vec<u8>>` and properly validates the length — matching the pattern already used by `BytesM::from_str`.\n\nUsers should upgrade to the first release containing this fix once published (the next release after `v25.0.0`).\n\n### Workarounds\n\nValidate the byte length of string input before calling `StringM::from_str`, or construct `StringM` values via `StringM::try_from(s.as_bytes().to_vec())` which correctly enforces the length constraint.\n\n### References\n\n- Issue: https://github.com/stellar/rs-stellar-xdr/issues/499\n- Fix: https://github.com/stellar/rs-stellar-xdr/pull/500",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "stellar-xdr"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "25.0.1"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 25.0.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/stellar/rs-stellar-xdr/security/advisories/GHSA-x57h-xx53-v53w"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/stellar/rs-stellar-xdr/issues/499"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/stellar/rs-stellar-xdr/pull/500"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/stellar/rs-stellar-xdr/commit/1f840013c3e2fca0321fb844b048afa01d10dda6"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/stellar/rs-stellar-xdr"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-770"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-05T20:45:46Z",
+    "nvd_published_at": null
+  }
+}
