CVE-2026-4645
Infinite Loop DoS in antchfx/xpath via Crafted XPath Expressions
Publication date: 2026-03-23
Last updated on: 2026-03-30
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| antchfx | xpath | * |
| antchfx | xpath | 1.0.0 |
| antchfx | xpath | 1.3.5 |
| antchfx | xpath | 1.5.0 |
| antchfx | xpath | 1.3.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4645 is a denial-of-service vulnerability in the Go package github.com/antchfx/xpath, specifically in the logicalQuery.Select() function. When a crafted Boolean XPath expression that evaluates to true (such as 1=1 or true()) is used as a top-level node selector, the function enters an infinite loop. This happens because logicalQuery.Select() repeatedly returns the same node without ever returning nil, which is required to terminate iteration. As a result, the iteration loop stalls indefinitely, causing 100% CPU utilization on one core and leading to a denial-of-service condition.
The root cause is that logicalQuery.Select() lacks a termination guard or sentinel to stop iteration after the first result, unlike similar functions in the package. This flaw allows an attacker to submit crafted XPath expressions that cause the affected system to consume excessive CPU resources indefinitely.
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial-of-service (DoS) condition on any system using the vulnerable antchfx/xpath component. An attacker can remotely submit crafted Boolean XPath expressions that trigger an infinite loop in the logicalQuery.Select() function, leading to 100% CPU usage on a single core.
The high CPU consumption can degrade system performance, cause application unresponsiveness, and potentially crash or require a restart of the affected service or system. This can disrupt normal operations and availability of applications relying on this XPath processing library.
Any application that passes user-controlled XPath expressions to methods like Find(), QueryAll(), or QuerySelectorAll() in downstream packages (such as antchfx/xmlquery, antchfx/htmlquery, or antchfx/jsonquery) is vulnerable to this unbounded CPU denial-of-service attack.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by observing unusually high CPU usage (100% CPU utilization on a single core) caused by processes using the github.com/antchfx/xpath package when processing XPath expressions.'}, {'type': 'paragraph', 'content': 'Specifically, if an application accepts user-controlled XPath expressions and uses functions like Find(), QueryAll(), or QuerySelectorAll() from antchfx/*query packages, submitting crafted Boolean XPath expressions that evaluate to true (e.g., "1=1", "true()", "0<1") can trigger an infinite loop in logicalQuery.Select(), causing the CPU spike.'}, {'type': 'paragraph', 'content': 'To detect this on your system, you can monitor CPU usage of relevant processes and test by running commands or scripts that submit such crafted XPath expressions to the affected application or service.'}, {'type': 'list_item', 'content': "Use system monitoring tools like 'top' or 'htop' to identify processes consuming 100% CPU."}, {'type': 'list_item', 'content': "If you have access to the application or service, try submitting XPath expressions such as '1=1', 'true()', or '0<1' to endpoints or interfaces that accept XPath queries."}, {'type': 'list_item', 'content': 'Observe if the process handling these queries enters an infinite loop or causes CPU exhaustion.'}] [2, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing untrusted or user-controlled XPath expressions from being processed by the vulnerable logicalQuery.Select() function in the github.com/antchfx/xpath package.
Since the vulnerability causes an infinite loop when processing crafted Boolean XPath expressions that evaluate to true, you should:
- Sanitize or validate all XPath expressions before passing them to the affected functions to block or reject expressions that are trivial Boolean expressions or could cause infinite loops.
- Restrict or disable user input of XPath expressions if possible.
- Monitor and limit CPU usage of processes using this package to detect and stop potential DoS attacks.
Additionally, apply any available patches or updates to the antchfx/xpath package once a fix is released. According to the resources, a fix involves modifying the logicalQuery.Select() method to prevent infinite loops by properly terminating iteration.