GHSA-836r-79rf-4m37: Soup Sieve: Regular Expression Denial of Service (ReDoS) via Selector Parser
A Regular Expression Denial of Service (ReDoS) vulnerability exists in soupsieve's CSS selector parser due to catastrophic backtracking in a regex pattern when processing attribute selectors with unterminated quoted values. This can cause the regex engine to hang for several seconds with a payload of only 300 bytes. The issue affects any application that compiles untrusted CSS selectors using soupsieve versions prior to 2.8.4. The attack is CPU-bound, causing thread blocking without memory exhaustion.
AI Analysis
Technical Summary
The soupsieve CSS selector engine for Beautiful Soup 4 contains a regex in css_parser.py that is vulnerable to catastrophic backtracking when parsing attribute selectors with unterminated quoted values. The regex pattern attempts to match quoted strings but lacks proper anchoring or termination checks, causing exponential backtracking when the closing quote is missing. This results in CPU exhaustion and thread blocking for payloads as small as 300 bytes. The vulnerability affects soupsieve versions before 2.8.4 and can be triggered by passing untrusted CSS selectors to soupsieve.compile() or Beautiful Soup's .select()/.select_one() methods.
Potential Impact
An attacker can cause a denial of service by exhausting CPU resources on any server-side Python application using vulnerable soupsieve versions to parse untrusted CSS selectors. The attack requires only a small payload (around 300 bytes) and causes the regex engine to hang for multiple seconds, blocking the thread. This can degrade service availability or cause application unresponsiveness. There is no memory exhaustion or data confidentiality impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid passing untrusted or user-supplied CSS selectors to soupsieve.compile() or Beautiful Soup's .select()/.select_one() methods. Consider input validation or limiting selector complexity to mitigate potential ReDoS attacks.
GHSA-836r-79rf-4m37: Soup Sieve: Regular Expression Denial of Service (ReDoS) via Selector Parser
Description
A Regular Expression Denial of Service (ReDoS) vulnerability exists in soupsieve's CSS selector parser due to catastrophic backtracking in a regex pattern when processing attribute selectors with unterminated quoted values. This can cause the regex engine to hang for several seconds with a payload of only 300 bytes. The issue affects any application that compiles untrusted CSS selectors using soupsieve versions prior to 2.8.4. The attack is CPU-bound, causing thread blocking without memory exhaustion.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The soupsieve CSS selector engine for Beautiful Soup 4 contains a regex in css_parser.py that is vulnerable to catastrophic backtracking when parsing attribute selectors with unterminated quoted values. The regex pattern attempts to match quoted strings but lacks proper anchoring or termination checks, causing exponential backtracking when the closing quote is missing. This results in CPU exhaustion and thread blocking for payloads as small as 300 bytes. The vulnerability affects soupsieve versions before 2.8.4 and can be triggered by passing untrusted CSS selectors to soupsieve.compile() or Beautiful Soup's .select()/.select_one() methods.
Potential Impact
An attacker can cause a denial of service by exhausting CPU resources on any server-side Python application using vulnerable soupsieve versions to parse untrusted CSS selectors. The attack requires only a small payload (around 300 bytes) and causes the regex engine to hang for multiple seconds, blocking the thread. This can degrade service availability or cause application unresponsiveness. There is no memory exhaustion or data confidentiality impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid passing untrusted or user-supplied CSS selectors to soupsieve.compile() or Beautiful Soup's .select()/.select_one() methods. Consider input validation or limiting selector complexity to mitigate potential ReDoS attacks.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-836r-79rf-4m37
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-49477"]
- Ecosystems
- ["PyPI"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a4fa9a168715ace437d3dcc
Added to database: 07/09/2026, 14:01:05 UTC
Last enriched: 07/09/2026, 14:02:54 UTC
Last updated: 07/09/2026, 17:20:59 UTC
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.