Description
soroban-poseidon provides Poseidon and Poseidon2 cryptographic hash functions for Soroban smart contracts. Poseidon V1 (PoseidonSponge) accepts variable-length inputs without injective padding. When a caller provides fewer inputs than the sponge rate (inputs.len() < T - 1), unused rate positions are implicitly zero-filled. This allows trivial hash collisions: for any input vector [m1, ..., mk] hashed with a sponge of rate > k, hash([m1, ..., mk]) equals hash([m1, ..., mk, 0]) because both produce identical pre-permutation states. This affects any use of PoseidonSponge or poseidon_hash where the number of inputs is less than T - 1 (e.g., hashing 1 input with T=3). Poseidon2 (Poseidon2Sponge) is not affected.
Published: 2026-03-12
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Hash Collision
Action: Apply Patch
AI Analysis

Impact

PoseidonV1 (PoseidonSponge) is a cryptographic hash function used in Stellar Soroban smart contracts. The implementation accepts variable-length input vectors without explicit padding. When the number of supplied inputs is less than the sponge rate (inputs.len() < T‑1), the remaining rate positions are implicitly zero‑filled. Because the pre‑permutation state is identical for [m1,…,mk] and [m1,…,mk,0] when k < T‑1, the two input vectors hash to the same digest. This creates a trivial hash collision that undermines the integrity guarantees of any hash‑based check, allowing an attacker to generate distinct inputs that produce the same hash output. The weakness is classified as CWE‑328.

Affected Systems

The vulnerability affects the Stellar rs‑soroban‑poseidon library, specifically the PoseidonV1 (PoseidonSponge) implementation. Any smart contract or application that invokes poseidon_hash or PoseidonSponge with fewer inputs than the sponge rate (for example, hashing a single input when T equals 3) is vulnerable. The Poseidon2 (Poseidon2Sponge) implementation is not impacted. The issue was addressed in release v25.0.1, which removes the implicit zero‑padding behavior.

Risk and Exploitability

CVSS score 8.7 indicates a high severity vulnerability, and the EPSS score is less than 1 %, implying a low probability of active exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via a smart contract that controls the inputs to PoseidonSponge, such as a malicious transaction that calls the hash function with explicitly fewer inputs, thereby inducing a collision. While the flaw does not grant code execution, it can subvert integrity checks and potentially damage contract logic. Consequently, the risk is moderate to high, warranting prompt update of affected deployments.

Generated by OpenCVE AI on March 18, 2026 at 15:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the stellar:rs-soroban-poseidon library to version v25.0.1 or later, which removes the implicit zero-padding behavior.
  • Ensure that all smart contracts using PoseidonSponge avoid supplying fewer inputs than the sponge rate or add explicit padding before hashing.
  • As a temporary workaround, use the Poseidon2Sponge implementation (poseidon2_hash) for new contracts until the PoseidonV1 issue is fully resolved.

Generated by OpenCVE AI on March 18, 2026 at 15:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g2p6-hh5v-7hfm Poseidon V1 variable-length input collision via implicit zero-padding
History

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Stellar
Stellar rs-soroban-poseidon
Vendors & Products Stellar
Stellar rs-soroban-poseidon

Thu, 12 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description soroban-poseidon provides Poseidon and Poseidon2 cryptographic hash functions for Soroban smart contracts. Poseidon V1 (PoseidonSponge) accepts variable-length inputs without injective padding. When a caller provides fewer inputs than the sponge rate (inputs.len() < T - 1), unused rate positions are implicitly zero-filled. This allows trivial hash collisions: for any input vector [m1, ..., mk] hashed with a sponge of rate > k, hash([m1, ..., mk]) equals hash([m1, ..., mk, 0]) because both produce identical pre-permutation states. This affects any use of PoseidonSponge or poseidon_hash where the number of inputs is less than T - 1 (e.g., hashing 1 input with T=3). Poseidon2 (Poseidon2Sponge) is not affected.
Title Poseidon V1 variable-length input collision via implicit zero-padding
Weaknesses CWE-328
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Stellar Rs-soroban-poseidon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T16:23:54.655Z

Reserved: 2026-03-10T22:19:36.545Z

Link: CVE-2026-32129

cve-icon Vulnrichment

Updated: 2026-03-13T16:23:52.047Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T18:16:25.097

Modified: 2026-03-12T21:07:53.427

Link: CVE-2026-32129

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:48:41Z

Weaknesses