Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".
AnalysisAI
The antchfx/xpath Go library prior to version 1.3.6 contains a denial-of-service vulnerability in the logicalQuery.Select function where Boolean XPath expressions that evaluate to true (such as '1=1' or 'true()') trigger an infinite loop, consuming 100% CPU resources. Remote attackers can exploit this via top-level XPath selectors without authentication, potentially disrupting any application that uses this library to process untrusted XPath queries. Upstream fix is available in commit afd4762cc342af56345a3fb4002a59281fcab494, with no public exploit code identified at time of analysis.
Technical ContextAI
The antchfx/xpath library is a Go package for parsing and evaluating XPath expressions, commonly used in applications that process XML documents. The vulnerability exists in the logicalQuery.Select method, which handles logical operations in XPath queries. When a Boolean expression evaluates to true at the top level, the implementation enters an infinite loop instead of properly terminating query execution. This represents a logic error in control flow rather than memory corruption or injection; the root cause is inadequate boundary conditions or loop termination logic in the query evaluation engine. The affected CPE is cpe:2.3:a:github.com/antchfx/xpath:github.com/antchfx/xpath:*:*:*:*:*:*:*:*, covering all versions prior to 1.3.6.
RemediationAI
Upgrade github.com/antchfx/xpath to version 1.3.6 or later immediately. The upstream fix is available in commit afd4762cc342af56345a3fb4002a59281fcab494 (see https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494). Applications should update their Go module dependency via 'go get -u github.com/antchfx/xpath@latest' or pin to version 1.3.6+. Until patching is possible, implement input validation to reject or sanitize XPath expressions that contain top-level Boolean literals ('true()', '1=1', etc.), or enforce timeout/resource limits on XPath query execution to prevent unbounded CPU consumption. Network-level rate limiting on XML parsing endpoints may provide temporary mitigation.
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16349
GHSA-65xw-vw82-r86x