diff --git a/demo/fw/src/cage.c b/demo/fw/src/cage.c
index c1bf2d4..f69f12a 100644
--- a/demo/fw/src/cage.c
+++ b/demo/fw/src/cage.c
@@ -161,6 +161,9 @@ enum ca_error parse_age_buf(struct ca_keystore *ks, const char *buf, size_t bufl
 
         if (!strncmp(current_line, "-> ", 3)) { /* stanza start */
             stanza_num += 1;
+            if (stanza_num > CA_ERR_TOO_MANY_STANZAS) {
+                return CA_ERR_TOO_MANY_STANZAS;
+            }
 
             if (stanza_head) {
                 err = parse_stanza(ks, stanza_head, current_line - stanza_head, file_key);
diff --git a/demo/fw/src/cage.h b/demo/fw/src/cage.h
index 57194c5..2e7c9fb 100644
--- a/demo/fw/src/cage.h
+++ b/demo/fw/src/cage.h
@@ -24,8 +24,13 @@ enum ca_error {
     CA_ERR_INVALID_PARAMETER = 10,
     CA_ERR_NOT_ENOUGH_SPACE = 11,
     CA_ERR_KEY_NOT_FOUND = 12,
+    CA_ERR_TOO_MANY_STANZAS = 13,
 };
 
+#ifndef CA_MAX_STANZAS
+#define CA_MAX_STANZAS 8
+#endif
+
 struct ca_keystore {
     struct mbedtls_ecp_keypair x25519_kp;
 };