AIKIDO-2026-10542
ox is vulnerable to Buffer overflow
75
High Risk
This Affects:
oxTL;DR
The native parser in ext/ox/parse.c includes collapse_special, which decodes &name; entity text into a small on-stack key buffer. When a named token grew past the buffer, the k cursor hit the end sentinel and the code set k back to the buffer start in a way that no longer matched the k-- and null-termination that run immediately after the loop, leaving k inconsistent and allowing invalid pointer use and buffer corruption. Malicious or very long entity-like sequences in attributes or text that reach this path can stress that logic. The change points k at key+1 in the overflow case before breaking so the following decrement and entity lookup see a valid buffer state.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
ox is vulnerable to Buffer overflow in versions 2.14.15 - 2.14.24.
How to fix this
Upgrade the ox library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant