CWE-125 Out-of-bounds Read
Coverage status: Background only, this CWE is in scope but has no rules in the SiteShadow rule registry. Taint and heuristic analyzers may flag related patterns; see the coverage report and known gaps for the authoritative list.
What this means
SiteShadow flagged code that may read past the end of a buffer/array.
Why it matters
Out-of-bounds reads can leak data or crash processes.
- Data leakage: memory contents can include secrets, keys, or user data.
- Crashes/DoS from invalid memory access.
Safer examples
1) Use bounds-checked access
Prefer safe indexing APIs and validate indices and lengths.
2) Validate parsing lengths and offsets
Reject malformed inputs before using offsets to slice buffers.
3) Use fuzzing/sanitizers for native code
Fuzzers + ASan catch OOB reads early.
How SiteShadow detects it (high level)
- Flags suspicious indexing/slicing patterns and unsafe buffer reads.
- Prioritizes cases where indices/lengths come from untrusted input or overflowable arithmetic.
References
- CWE-125: https://cwe.mitre.org/data/definitions/125.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.