xmlquery before 1.3.1 lacks a check for whether a LoadURL response is in the XML format, which allows attackers to cause a denial of service (SIGSEGV) at xmlquery.(*Node).InnerText or possibly have unspecified other impact.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25614
Reference (s):
- https://github.com/antchfx/xmlquery/compare/v1.3.0 v1.3.1
- https://github.com/antchfx/xmlquery/issues/39