GO-2026-4526
- Source
- https://pkg.go.dev/vuln/GO-2026-4526
- Import Source
- https://vuln.go.dev/ID/GO-2026-4526.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GO-2026-4526
- Aliases
- Related
- Published
- 2026-03-17T20:58:59Z
- Modified
- 2026-03-30T14:29:16.654688015Z
- Summary
- Infinite loop in github.com/antchfx/xpath
- Details
-
Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".
- Database specific
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2026-4526" }- References
Affected packages
Go / github.com/antchfx/xpath
Package
- Name
- github.com/antchfx/xpath
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/antchfx/xpath
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.3.6
Ecosystem specific
{
"imports": [
{
"path": "github.com/antchfx/xpath",
"symbols": [
"Expr.Evaluate",
"NodeIterator.MoveNext",
"ancestorQuery.Evaluate",
"ancestorQuery.Select",
"attributeQuery.Evaluate",
"attributeQuery.Select",
"booleanQuery.Evaluate",
"booleanQuery.Select",
"cachedChildQuery.Evaluate",
"cachedChildQuery.Select",
"childQuery.Evaluate",
"childQuery.Select",
"descendantOverDescendantQuery.Evaluate",
"descendantOverDescendantQuery.Select",
"descendantQuery.Evaluate",
"descendantQuery.Select",
"filterQuery.Evaluate",
"filterQuery.Select",
"followingQuery.Evaluate",
"followingQuery.Select",
"functionQuery.Evaluate",
"groupQuery.Evaluate",
"groupQuery.Select",
"lastFuncQuery.Evaluate",
"logicalQuery.Evaluate",
"logicalQuery.Select",
"mergeQuery.Evaluate",
"mergeQuery.Select",
"numericQuery.Evaluate",
"parentQuery.Evaluate",
"parentQuery.Select",
"precedingQuery.Evaluate",
"precedingQuery.Select",
"selfQuery.Evaluate",
"selfQuery.Select",
"transformFunctionQuery.Evaluate",
"transformFunctionQuery.Select",
"unionQuery.Evaluate",
"unionQuery.Select"
]
}
]
}