CVE-2026-4645 Overview
A flaw was found in the github.com/antchfx/xpath component, a popular Go library used for XPath query processing. A remote attacker could exploit this vulnerability by submitting crafted Boolean XPath expressions that evaluate to true. This can cause an infinite loop in the logicalQuery.Select function, leading to 100% CPU utilization and a Denial of Service (DoS) condition for the affected system.
Critical Impact
Remote attackers can cause complete service unavailability by triggering an infinite loop through malicious XPath expressions, resulting in full CPU exhaustion without authentication.
Affected Products
- github.com/antchfx/xpath Go package (versions prior to patch)
- Applications utilizing the antchfx/xpath library for XPath query processing
- Go-based services implementing XML/HTML parsing with XPath support
Discovery Timeline
- 2026-03-23 - CVE-2026-4645 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-4645
Vulnerability Analysis
This vulnerability is classified under CWE-835 (Loop with Unreachable Exit Condition), commonly known as an infinite loop vulnerability. The flaw resides in the logicalQuery.Select function within the github.com/antchfx/xpath package. When processing Boolean XPath expressions that evaluate to true, the function fails to properly terminate its iteration, causing the application to enter an infinite loop.
The attack is exploitable remotely over the network without requiring any user interaction or authentication. When triggered, the affected process consumes 100% CPU resources, effectively denying service to legitimate users. This makes it particularly dangerous for web services and APIs that process user-supplied XPath queries.
Root Cause
The root cause lies in the logicalQuery.Select function's handling of Boolean XPath expressions. The original implementation would evaluate the XPath expression and, when the result was a Boolean true value, return the current node without properly advancing the iterator. This design flaw allowed specially crafted Boolean expressions to create a condition where the loop never terminates, as the function continuously evaluates the same true condition without progressing through the query evaluation.
Attack Vector
An attacker can exploit this vulnerability by sending crafted XPath expressions containing Boolean logic that evaluates to true to any application using the vulnerable antchfx/xpath library. The attack requires network access to the target application but does not require any privileges or user interaction. When the malicious XPath expression is processed, the logicalQuery.Select function enters an infinite loop, consuming all available CPU resources and preventing the application from processing legitimate requests.
// Security patch in query.go - fix #121
// Before (vulnerable):
func (l *logicalQuery) Select(t iterator) NodeNavigator {
// When a XPath expr is logical expression.
node := t.Current().Copy()
val := l.Evaluate(t)
switch val.(type) {
case bool:
if val.(bool) == true {
return node
}
}
return nil
}
// After (patched):
func (l *logicalQuery) Select(t iterator) NodeNavigator {
return nil
}
Source: GitHub Commit for XPath Project
Detection Methods for CVE-2026-4645
Indicators of Compromise
- Sustained 100% CPU utilization on processes handling XPath query parsing
- Application unresponsiveness or timeouts when processing XML/HTML content
- Increased memory consumption in Go-based services utilizing xpath libraries
- Unusual patterns of XPath queries containing complex Boolean expressions
Detection Strategies
- Monitor CPU usage patterns for Go applications that implement XPath functionality
- Implement application-level logging to track XPath query execution times and detect anomalies
- Deploy runtime application self-protection (RASP) solutions to identify infinite loop conditions
- Review dependency manifests to identify usage of vulnerable antchfx/xpath versions
Monitoring Recommendations
- Set up alerts for sustained high CPU utilization exceeding normal thresholds
- Implement query timeout mechanisms to prevent long-running XPath operations
- Monitor application response latency to detect service degradation
- Review Go module dependencies using go list -m -json all to identify vulnerable packages
How to Mitigate CVE-2026-4645
Immediate Actions Required
- Update the github.com/antchfx/xpath package to the patched version containing commit afd4762cc342af56345a3fb4002a59281fcab494
- Audit all applications using the antchfx/xpath library and prioritize updates
- Implement input validation to restrict or sanitize user-supplied XPath expressions
- Consider deploying rate limiting on endpoints that accept XPath queries
Patch Information
The vulnerability has been addressed in the antchfx/xpath repository. The fix removes the problematic Boolean evaluation logic from the logicalQuery.Select function, preventing the infinite loop condition. For detailed patch information, refer to the GitHub Commit for XPath Project and the related GitHub Issue #121 on XPath. Additional context is available in the Red Hat CVE-2026-4645 Advisory and the GoLang Vulnerability Database Issue #4526.
Workarounds
- Implement query execution timeouts at the application level to kill long-running XPath operations
- Restrict XPath functionality to trusted users only until patching is complete
- Deploy web application firewalls (WAF) with rules to filter suspicious XPath patterns
- Consider sandboxing XPath query processing in isolated environments with resource limits
# Update Go module to patched version
go get -u github.com/antchfx/xpath@latest
# Verify the updated dependency
go list -m github.com/antchfx/xpath
# Run vulnerability scan on dependencies
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
