Antchfx XPath Component Denial-of-Service Vulnerability via Boolean XPath Expressions

A denial-of-service vulnerability has been identified in the Antchfx XPath component, specifically in version 1.3.5. The issue arises when a remote attacker submits crafted Boolean XPath expressions that evaluate to true. This exploitation causes the 'logicalQuery.Select' function to enter an infinite loop, resulting in 100% CPU utilization and creating a DoS condition on the affected system. The vulnerability is present in applications that accept user-controlled XPath expressions and pass them to query functions, such as 'QuerySelectorAll', in the downstream Antchfx query packages.

Impact

Exploitation of this vulnerability leads to an infinite loop in the 'logicalQuery.Select' function, causing 100% CPU usage and stalling the application until the process is manually terminated. This behavior consumes a single CPU core continuously, creating a significant denial-of-service condition.

Reproduction

To reproduce this vulnerability, use a Boolean XPath expression that evaluates to true, such as '1=1' or 'true()'. When this expression is applied as a top-level node selector in the 'logicalQuery.Select' function, it will cause an infinite loop by repeatedly returning the same node, never allowing the process to exit the loop. This can be done in any application that uses the affected XPath component and passes user-controlled XPath expressions to the query functions.

Remediation

Users can upgrade to Antchfx XPath version 1.3.6, which addresses this vulnerability by modifying the 'logicalQuery.Select' function to include a termination condition that prevents the infinite loop.