CVE-2026-32287 Overview
CVE-2026-32287 is a Denial of Service vulnerability affecting the antchfx/xpath Go library. Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This vulnerability can be triggered by top-level selectors such as 1=1 or true(), allowing attackers to exhaust server CPU resources with specially crafted XPath queries.
Critical Impact
Applications using the antchfx/xpath library to process user-supplied XPath expressions are vulnerable to CPU exhaustion attacks that can render services unresponsive.
Affected Products
- antchfx/xpath Go library (versions prior to the security patch)
- Applications using antchfx/xpath for XPath query processing
- Go applications processing untrusted XPath input
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-32287 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-32287
Vulnerability Analysis
This vulnerability exists in the XPath query processing logic within the antchfx/xpath library. When processing Boolean XPath expressions that evaluate to true (such as 1=1 or true()), the logicalQuery.Select function enters an infinite loop. This occurs because the function was designed to return the current node when a Boolean expression evaluates to true, but failed to properly terminate the iteration, causing the function to repeatedly return the same node indefinitely.
The vulnerability is particularly dangerous in web applications or services that accept user-controlled XPath queries, as an attacker can trivially craft a malicious query to exhaust CPU resources and cause a denial of service condition.
Root Cause
The root cause lies in the Select method of the logicalQuery struct in query.go. The original implementation evaluated the XPath expression and, when encountering a Boolean result that was true, returned the current node. However, this logic created a condition where the iterator would never advance, causing the same node to be returned repeatedly in an infinite loop.
Attack Vector
An attacker can exploit this vulnerability by submitting XPath queries containing Boolean expressions that always evaluate to true. Common attack payloads include:
- 1=1 - A simple Boolean comparison that always returns true
- true() - The XPath true() function
- not(false()) - Negated false expression
When processed by the vulnerable library, these expressions cause the CPU to spike to 100% utilization as the Select function enters an infinite loop.
// Vulnerable code removed in the security patch
// Source: https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494
func (l *logicalQuery) Select(t iterator) NodeNavigator {
// When a XPath expr is logical expression.
node := t.Current().Copy()
val := l.Evaluate(t)
switch val.(type) {
case bool:
if val.(bool) == true {
return node
}
}
return nil
}
// Fixed version simply returns nil
func (l *logicalQuery) Select(t iterator) NodeNavigator {
return nil
}
Source: GitHub Commit Update
Detection Methods for CVE-2026-32287
Indicators of Compromise
- Sudden CPU utilization spikes to 100% on servers processing XPath queries
- Application processes becoming unresponsive while handling XPath operations
- Log entries showing XPath queries with Boolean expressions like 1=1, true(), or similar patterns
- Increased latency or timeouts in services that process XML/XPath data
Detection Strategies
- Monitor CPU utilization patterns for sustained 100% usage on application servers
- Implement request logging and alerting for XPath queries containing suspicious Boolean expressions
- Use application performance monitoring (APM) to detect infinite loops in Go applications
- Review dependency versions to identify vulnerable antchfx/xpath library usage
Monitoring Recommendations
- Configure resource limits (CPU quotas, timeouts) for XPath processing operations
- Implement query timeout mechanisms to terminate long-running XPath evaluations
- Set up automated alerts for abnormal CPU consumption patterns
- Monitor Go application goroutine counts for signs of stuck processing threads
How to Mitigate CVE-2026-32287
Immediate Actions Required
- Update the antchfx/xpath library to the patched version immediately
- Review all applications that process user-supplied XPath expressions
- Implement input validation to reject potentially malicious XPath patterns
- Apply resource limits to prevent single queries from exhausting system resources
Patch Information
The vulnerability has been addressed in a security patch committed to the antchfx/xpath repository. The fix modifies the Select method to return nil immediately, preventing the infinite loop condition. Organizations should update to the patched version by pulling the latest release from the repository.
For detailed patch information, refer to:
Workarounds
- Implement XPath query timeouts at the application level to terminate long-running evaluations
- Validate and sanitize XPath input to reject Boolean-only expressions before processing
- Deploy rate limiting on endpoints that accept XPath queries
- Use containerization with CPU limits to prevent a single process from exhausting host resources
# Configuration example
# Update Go dependencies to pull the patched version
go get -u github.com/antchfx/xpath@latest
# Verify the installed version includes the security fix
go list -m github.com/antchfx/xpath
# Run vulnerability check on your Go modules
govulncheck ./...
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
