ox is vulnerable to Denial of Service (DoS)
53
Medium Risk
The XML parser in ext/ox/parse.c reads DOCTYPE prolog content through the recursive read_delimited function with no length or depth limit. Parsing an excessively long or deeply nested DOCTYPE drives unbounded recursion until the interpreter reaches a stack-too-deep condition. An attacker who can submit crafted XML to an application that parses it with Ox can exhaust the stack and abort parsing, causing a denial of service. The fix introduces a MAX_PROLOG cap and raises a prolog (doctype) too long error before the stack is exhausted.
You are affected if you are using a version that falls within the vulnerable range and your application parses untrusted XML input with Ox.
ox is vulnerable to Denial of Service (DoS) in versions 2.0.7 - 2.14.27.
Upgrade the ox library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant