Vulnerability in Poseidon Cryptographic Hash Functions for Soroban by Stellar
CVE-2026-32129
What is CVE-2026-32129?
The soroban-poseidon library, which provides essential cryptographic hash functions for Soroban smart contracts, has a significant vulnerability in Poseidon V1 (PoseidonSponge). This vulnerability arises from the library's handling of variable-length inputs without proper injective padding. Specifically, if a caller inputs fewer values than the sponge rate (i.e., inputs.len() < T - 1), the remaining rate positions are implicitly filled with zeros. This condition leads to the possibility of trivial hash collisions; for any input vector [m1, ..., mk] processed under these circumstances, the hash outcomes will be identical whether or not trailing zeros are appended. It is crucial for developers utilizing PoseidonSponge or poseidon_hash to note that this issue affects cases where the number of inputs is less than T - 1, such as hashing a single input when T is set to 3. Notably, Poseidon2 (Poseidon2Sponge) is unaffected by this vulnerability.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
rs-soroban-poseidon < 25.0.1