CVE-2026-4645
Awaiting Analysis Awaiting Analysis - Queue
Infinite Loop DoS in antchfx/xpath via Crafted XPath Expressions

Publication date: 2026-03-23

Last updated on: 2026-03-30

Assigner: Red Hat, Inc.

Description
Rejected reason: Duplicate of CVE-2026-32287
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-03-29
NVD
CVE-2026-4645
EUVD
EUVD-2026-14434
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
antchfx xpath *
antchfx xpath 1.0.0
antchfx xpath 1.3.5
antchfx xpath 1.5.0
antchfx xpath 1.3.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4645 is a denial-of-service vulnerability in the Go package github.com/antchfx/xpath, specifically in the logicalQuery.Select() function. When a crafted Boolean XPath expression that evaluates to true (such as 1=1 or true()) is used as a top-level node selector, the function enters an infinite loop. This happens because logicalQuery.Select() repeatedly returns the same node without ever returning nil, which is required to terminate iteration. As a result, the iteration loop stalls indefinitely, causing 100% CPU utilization on one core and leading to a denial-of-service condition.

The root cause is that logicalQuery.Select() lacks a termination guard or sentinel to stop iteration after the first result, unlike similar functions in the package. This flaw allows an attacker to submit crafted XPath expressions that cause the affected system to consume excessive CPU resources indefinitely.

Impact Analysis

This vulnerability can impact you by causing a denial-of-service (DoS) condition on any system using the vulnerable antchfx/xpath component. An attacker can remotely submit crafted Boolean XPath expressions that trigger an infinite loop in the logicalQuery.Select() function, leading to 100% CPU usage on a single core.

The high CPU consumption can degrade system performance, cause application unresponsiveness, and potentially crash or require a restart of the affected service or system. This can disrupt normal operations and availability of applications relying on this XPath processing library.

Any application that passes user-controlled XPath expressions to methods like Find(), QueryAll(), or QuerySelectorAll() in downstream packages (such as antchfx/xmlquery, antchfx/htmlquery, or antchfx/jsonquery) is vulnerable to this unbounded CPU denial-of-service attack.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by observing unusually high CPU usage (100% CPU utilization on a single core) caused by processes using the github.com/antchfx/xpath package when processing XPath expressions.'}, {'type': 'paragraph', 'content': 'Specifically, if an application accepts user-controlled XPath expressions and uses functions like Find(), QueryAll(), or QuerySelectorAll() from antchfx/*query packages, submitting crafted Boolean XPath expressions that evaluate to true (e.g., "1=1", "true()", "0<1") can trigger an infinite loop in logicalQuery.Select(), causing the CPU spike.'}, {'type': 'paragraph', 'content': 'To detect this on your system, you can monitor CPU usage of relevant processes and test by running commands or scripts that submit such crafted XPath expressions to the affected application or service.'}, {'type': 'list_item', 'content': "Use system monitoring tools like 'top' or 'htop' to identify processes consuming 100% CPU."}, {'type': 'list_item', 'content': "If you have access to the application or service, try submitting XPath expressions such as '1=1', 'true()', or '0<1' to endpoints or interfaces that accept XPath queries."}, {'type': 'list_item', 'content': 'Observe if the process handling these queries enters an infinite loop or causes CPU exhaustion.'}] [2, 4]

Mitigation Strategies

Immediate mitigation steps include preventing untrusted or user-controlled XPath expressions from being processed by the vulnerable logicalQuery.Select() function in the github.com/antchfx/xpath package.

Since the vulnerability causes an infinite loop when processing crafted Boolean XPath expressions that evaluate to true, you should:

  • Sanitize or validate all XPath expressions before passing them to the affected functions to block or reject expressions that are trivial Boolean expressions or could cause infinite loops.
  • Restrict or disable user input of XPath expressions if possible.
  • Monitor and limit CPU usage of processes using this package to detect and stop potential DoS attacks.

Additionally, apply any available patches or updates to the antchfx/xpath package once a fix is released. According to the resources, a fix involves modifying the logicalQuery.Select() method to prevent infinite loops by properly terminating iteration.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4645. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart