{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/xpath/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xpath","denial-of-service","cve-2026-32287"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA denial-of-service vulnerability exists in the \u003ccode\u003eantchfx/xpath\u003c/code\u003e Go package, specifically in versions prior to 1.3.6. The vulnerability, identified as CVE-2026-32287, stems from the way the \u003ccode\u003elogicalQuery.Select\u003c/code\u003e function handles boolean expressions. When expressions that always evaluate to true, such as \u0026ldquo;1=1\u0026rdquo; or \u0026ldquo;true()\u0026rdquo;, are used as top-level selectors, they can trigger an infinite loop within the function. This results in the affected system consuming 100% of CPU resources, effectively denying service to legitimate users. The vulnerability was published on March 29, 2026, and patched in version 1.3.6.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious XPath expression containing a boolean expression that always evaluates to true, such as \u0026ldquo;1=1\u0026rdquo; or \u0026ldquo;true()\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker sends this malicious XPath expression to an application that uses the vulnerable \u003ccode\u003eantchfx/xpath\u003c/code\u003e package.\u003c/li\u003e\n\u003cli\u003eThe application parses the XPath expression using the \u003ccode\u003elogicalQuery.Select\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to the nature of the expression, the \u003ccode\u003elogicalQuery.Select\u003c/code\u003e function enters an infinite loop.\u003c/li\u003e\n\u003cli\u003eThe infinite loop consumes excessive CPU resources.\u003c/li\u003e\n\u003cli\u003eThe application becomes unresponsive due to CPU exhaustion.\u003c/li\u003e\n\u003cli\u003eLegitimate users are unable to access the application.\u003c/li\u003e\n\u003cli\u003eThe system experiences a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition. An affected server or application becomes unresponsive, impacting all users who rely on the service. While the vulnerability does not directly compromise data confidentiality or integrity, it can severely disrupt operations. The number of potential victims depends on the scope and deployment of applications utilizing the vulnerable \u003ccode\u003eantchfx/xpath\u003c/code\u003e package.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eantchfx/xpath\u003c/code\u003e package to version 1.3.6 or later to patch CVE-2026-32287.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect XPath Boolean Expression DoS Attempt\u003c/code\u003e to identify attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious XPath expressions, particularly those containing \u0026ldquo;1=1\u0026rdquo; or \u0026ldquo;true()\u0026rdquo;, using the \u003ccode\u003eWeb Server Log - XPath Boolean Expression\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-29T15:19:45Z","date_published":"2026-03-29T15:19:45Z","id":"/briefs/2026-03-xpath-dos/","summary":"A vulnerability in the antchfx/xpath package allows for denial of service via CPU exhaustion by exploiting boolean expressions that evaluate to true, leading to an infinite loop.","title":"XPath Boolean Expression DoS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-xpath-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Xpath","version":"https://jsonfeed.org/version/1.1"}