CVE-2026-4645

DOCUMENTATION: A flaw was found in the github.com/antchfx/xpath component. A remote attacker could exploit this vulnerability by submitting crafted Boolean XPath expressions that evaluate to true. This can cause an infinite loop in the logicalQuery.Select function, leading to 100% CPU utilization and a Denial of Service (DoS) condition for the affected system. 

            STATEMENT: A denial of service vulnerability was discovered in github.com/antchfx/xpath, with Important severity. Systems processing untrusted XPath expressions are vulnerable to an infinite loop, leading to 100% CPU utilization which would impact normal operations of the system.

            MITIGATION: To mitigate this issue, restrict the processing of untrusted or unvalidated XPath expressions by applications which utilize the github.com/antchfx/xpath component. Implement input validation and sanitization for all XPath expressions originating from external or untrusted sources. If possible, configure applications to only process XPath expressions from trusted sources or disable features that allow arbitrary XPath expression evaluation.