AIKIDO-2026-435802
ox is vulnerable to Uncontrolled Recursion
50
Medium Risk
This Affects:
oxTL;DR
The ox XML parser recursively reads nested elements with read_element and applies no depth limit, so a deeply nested document drives the native C call stack until it overflows and the host process crashes. The parser also mishandles the end-of-buffer boundary when decoding special character (entity) sequences in read_coded_chars, so an unterminated & sequence at the 31-byte scan limit is treated as a valid entity and read past the intended boundary. An attacker who can supply XML to be parsed can crash the process with a small nested payload, causing denial of service. The fix caps element nesting at a maximum depth of 1000, threads a depth counter through the recursive parsing, and corrects the coded-character boundary check.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and if you parse untrusted XML with ox (e.g. public XML/SOAP endpoints, webhooks, uploaded files).
Background info
ox is vulnerable to Uncontrolled Recursion in versions 1.0.0 - 2.14.26.
How to fix this
Upgrade the ox library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant