Description
Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".
Published: 2026-03-26
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service through CPU exhaustion
Action: Apply Fix
AI Analysis

Impact

Boolean XPath expressions that evaluate to true trigger an infinite loop in the logicalQuery.Select routine within the github.com/antchfx/xpath package. This loop consumes 100 % of CPU resources, potentially halting application responsiveness and disrupting services. The flaw represents a classic Resource Exhaustion vulnerability that allows an attacker to cause a denial‑of‑service condition, although it does not directly enable code execution or privilege escalation.

Affected Systems

The affected product is the Go library github.com/antchfx/xpath. No specific version range is provided in the public advisory, but the issue exists in any release that includes the buggy loop. Projects that import this library as a dependency—especially those that evaluate user‑supplied XPath expressions—are at risk.

Risk and Exploitability

The available CVSS or EPSS metrics are not supplied, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local or remote code that supplies a malicious XPath expression; such an expression can be crafted as a top‑level selector such as "1=1" or "true()". Based on the description, exploitation would require an attacker to be able to influence the XPath query used by an application that depends on the library. Because the issue results in a denial‑of‑service rather than privilege escalation, the overall threat is moderate but could be high for critical services that rely on this library.

Generated by OpenCVE AI on March 26, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update github.com/antchfx/xpath to a version that includes the commit afd4762cc342af56345a3fb4002a59281fcab494 or later.
  • If an upgrade is not immediately possible, validate or reject XPath expressions that evaluate to true (e.g., "1=1", "true()") before they reach the library.
  • Monitor application CPU usage for abnormal spikes that could indicate an infinite loop.
  • Lock dependencies in your Go modules to non‑vulnerable revisions or apply a version constraint that excludes known vulnerable commits.

Generated by OpenCVE AI on March 26, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
CWE-770

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Antchfx
Antchfx xpath
Vendors & Products Antchfx
Antchfx xpath

Thu, 26 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".
Title Infinite loop in github.com/antchfx/xpath
References

Subscriptions

Antchfx Xpath
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-03-26T19:40:52.142Z

Reserved: 2026-03-11T16:38:46.556Z

Link: CVE-2026-32287

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T20:16:12.403

Modified: 2026-03-26T20:16:12.403

Link: CVE-2026-32287

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:25:21Z

Weaknesses