Skip to main content

Github Com Antchfx Xpath EUVDEUVD-2026-16349

| CVE-2026-32287 HIGH
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-03-26 Go GHSA-65xw-vw82-r86x
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
6.2 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 21, 2026 - 15:37 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 20:01 euvd
EUVD-2026-16349
Analysis Generated
Mar 26, 2026 - 20:01 vuln.today
CVE Published
Mar 26, 2026 - 19:40 nvd
HIGH 7.5

DescriptionCVE.org

Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".

AnalysisAI

The antchfx/xpath Go library prior to version 1.3.6 contains a denial-of-service vulnerability in the logicalQuery.Select function where Boolean XPath expressions that evaluate to true (such as '1=1' or 'true()') trigger an infinite loop, consuming 100% CPU resources. Remote attackers can exploit this via top-level XPath selectors without authentication, potentially disrupting any application that uses this library to process untrusted XPath queries. Upstream fix is available in commit afd4762cc342af56345a3fb4002a59281fcab494, with no public exploit code identified at time of analysis.

Technical ContextAI

The antchfx/xpath library is a Go package for parsing and evaluating XPath expressions, commonly used in applications that process XML documents. The vulnerability exists in the logicalQuery.Select method, which handles logical operations in XPath queries. When a Boolean expression evaluates to true at the top level, the implementation enters an infinite loop instead of properly terminating query execution. This represents a logic error in control flow rather than memory corruption or injection; the root cause is inadequate boundary conditions or loop termination logic in the query evaluation engine. The affected CPE is cpe:2.3:a:github.com/antchfx/xpath:github.com/antchfx/xpath:*:*:*:*:*:*:*:*, covering all versions prior to 1.3.6.

RemediationAI

Upgrade github.com/antchfx/xpath to version 1.3.6 or later immediately. The upstream fix is available in commit afd4762cc342af56345a3fb4002a59281fcab494 (see https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494). Applications should update their Go module dependency via 'go get -u github.com/antchfx/xpath@latest' or pin to version 1.3.6+. Until patching is possible, implement input validation to reject or sanitize XPath expressions that contain top-level Boolean literals ('true()', '1=1', etc.), or enforce timeout/resource limits on XPath query execution to prevent unbounded CPU consumption. Network-level rate limiting on XML parsing endpoints may provide temporary mitigation.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

EUVD-2026-16349 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy