Description
Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".
Published: 2026-03-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

Boolean XPath expressions that evaluate to true can create an infinite loop in logicalQuery.Select, causing the process to consume 100% CPU. The result is a denial‑of‑service condition for the application or system that hosts the library. The weakness is identified as unreliable input validation (CWE‑606) and infinite loop (CWE‑835).

Affected Systems

The vulnerability resides in the antchfx/xpath Go library. All projects that incorporate versions of this library before the patch commit afd4762cc342af56345a3fb4002a59281fcab494 are affected. No specific version range is documented, but any deployment using the library prior to this commit should be considered vulnerable and requires updating.

Risk and Exploitability

The CVSS score is 7.5, indicating a medium‑to‑high severity. The EPSS score is below 1%, implying a low probability of real‑world exploitation at present. It is not listed in CISA’s KEV catalog. Likely attack vectors involve supplying a boolean XPath expression, such as "1=1" or "true()", through any user‑controllable input that reaches logicalQuery.Select. If the application processes untrusted requests with this library, an attacker could trigger the loop and exhaust CPU resources, leading to service disruption.

Generated by OpenCVE AI on April 22, 2026 at 03:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the antchfx/xpath dependency to a version that includes the fix commit afd4762cc342af56345a3fb4002a59281fcab494.
  • If the library is used to parse user input, validate or sanitize the XPath expressions to reject boolean conditions such as "1=1" or "true()" before invoking logicalQuery.Select.
  • Review the logicalQuery.Select implementation to confirm proper exit conditions and eliminate potential infinite loops, addressing CWE‑835.
  • Consider configuring application resource limits or CPU quotas to mitigate the impact of potential infinite loops.
  • Continuously monitor application CPU usage and set alerts for abnormal spikes that could indicate a DoS attempt.

Generated by OpenCVE AI on April 22, 2026 at 03:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-65xw-vw82-r86x XPath: Boolean expression infinite loop leads to denial of service via CPU exhaustion
History

Tue, 21 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-835
CPEs cpe:2.3:a:antchfx:xpath:*:*:*:*:*:go:*:*

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Mon, 30 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
CWE-770

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
CWE-770

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Antchfx
Antchfx xpath
Vendors & Products Antchfx
Antchfx xpath

Thu, 26 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".
Title Infinite loop in github.com/antchfx/xpath
References

Subscriptions

Antchfx Xpath
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-03-30T14:55:05.920Z

Reserved: 2026-03-11T16:38:46.556Z

Link: CVE-2026-32287

cve-icon Vulnrichment

Updated: 2026-03-30T14:12:56.371Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T20:16:12.403

Modified: 2026-04-21T15:33:09.517

Link: CVE-2026-32287

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T19:40:52Z

Links: CVE-2026-32287 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T03:45:06Z

Weaknesses