Antchfx XPath Boolean Expression Infinite Loop Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Antchfx XPath library, specifically in the logicalQuery.Select function. This issue arises when boolean XPath expressions that evaluate to true, such as '1=1' or 'true()', are used as top-level selectors. The vulnerability causes an infinite loop, leading to 100% CPU usage, as the function repeatedly returns the same node without an exit condition. This flaw can be exploited by any application that accepts user-controlled XPath expressions and passes them to query functions in the Antchfx XPath package or its downstream counterparts.

Impact

Exploitation of this vulnerability causes an infinite loop that consumes a single CPU core at 100% capacity, effectively stalling the process until it is manually terminated. This unbounded CPU usage can lead to a denial-of-service condition, causing the application to become unresponsive.

Reproduction

To reproduce this vulnerability, use the Antchfx XPath library version prior to 1.3.6 and pass a boolean XPath expression that evaluates to true as a top-level node selector. This can be done using expressions like '1=1' or 'true()'. The logicalQuery.Select function will enter an infinite loop, consuming 100% of a CPU core.

Remediation

Users can update to Antchfx XPath version 1.3.6 or later, where this vulnerability has been fixed.