{"url":"http://public2.vulnerablecode.io/api/packages/514948?format=json","purl":"pkg:cargo/stellar-xdr@25.0.1","type":"cargo","namespace":"","name":"stellar-xdr","version":"25.0.1","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91548?format=json","vulnerability_id":"VCID-pc7n-t7xe-6be5","summary":"stellar-xdr's StringM::from_str bypasses max length validation\n### Impact\n\n`StringM::from_str` does not validate that the input length is within the declared maximum (`MAX`). Calling `StringM::<N>::from_str(s)` where `s` is longer than `N` bytes succeeds and returns an `Ok` value instead of `Err(Error::LengthExceedsMax)`, producing a `StringM` that violates its length invariant.\n\nThis affects any code that constructs `StringM` values from string input using `FromStr` (including `str::parse`), and relies on the type's maximum length constraint being enforced. An oversized `StringM` could propagate through serialization, validation, or other logic that assumes the invariant holds.\n\nAll published versions of the `stellar-xdr` crate up to and including `v25.0.0` are affected.\n\n### Patches\n\nThe fix is merged in [#500](https://github.com/stellar/rs-stellar-xdr/pull/500). It replaces the direct `Ok(Self(b))` construction with `b.try_into()`, which routes through `TryFrom<Vec<u8>>` and properly validates the length — matching the pattern already used by `BytesM::from_str`.\n\nUsers should upgrade to the first release containing this fix once published (the next release after `v25.0.0`).\n\n### Workarounds\n\nValidate the byte length of string input before calling `StringM::from_str`, or construct `StringM` values via `StringM::try_from(s.as_bytes().to_vec())` which correctly enforces the length constraint.\n\n### References\n\n- Issue: https://github.com/stellar/rs-stellar-xdr/issues/499\n- Fix: https://github.com/stellar/rs-stellar-xdr/pull/500","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29795","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09966","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09887","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09854","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09939","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09951","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29795"},{"reference_url":"https://github.com/stellar/rs-stellar-xdr","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/stellar/rs-stellar-xdr"},{"reference_url":"https://github.com/stellar/rs-stellar-xdr/commit/1f840013c3e2fca0321fb844b048afa01d10dda6","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:49:57Z/"}],"url":"https://github.com/stellar/rs-stellar-xdr/commit/1f840013c3e2fca0321fb844b048afa01d10dda6"},{"reference_url":"https://github.com/stellar/rs-stellar-xdr/issues/499","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:49:57Z/"}],"url":"https://github.com/stellar/rs-stellar-xdr/issues/499"},{"reference_url":"https://github.com/stellar/rs-stellar-xdr/pull/500","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:49:57Z/"}],"url":"https://github.com/stellar/rs-stellar-xdr/pull/500"},{"reference_url":"https://github.com/stellar/rs-stellar-xdr/security/advisories/GHSA-x57h-xx53-v53w","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:49:57Z/"}],"url":"https://github.com/stellar/rs-stellar-xdr/security/advisories/GHSA-x57h-xx53-v53w"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29795","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29795"},{"reference_url":"https://github.com/advisories/GHSA-x57h-xx53-v53w","reference_id":"GHSA-x57h-xx53-v53w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x57h-xx53-v53w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/514948?format=json","purl":"pkg:cargo/stellar-xdr@25.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:cargo/stellar-xdr@25.0.1"}],"aliases":["CVE-2026-29795","GHSA-x57h-xx53-v53w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pc7n-t7xe-6be5"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:cargo/stellar-xdr@25.0.1"}