soupsieve CVE-2026-49476
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable, low-complexity, unauthenticated selector input with no user interaction yields availability-only impact (A:H, C:N/I:N); scope unchanged as only the parsing process is affected.
Primary rating from Vendor (https://github.com/facelessuser/soupsieve).
CVSS VectorVendor: https://github.com/facelessuser/soupsieve
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 32,248 pypi packages depend on soupsieve (238 direct, 32,079 indirect)
Ecosystem-wide dependent count for version 2.8.4.
DescriptionCVE.org
Summary
The CSS selector parser in soupsieve (the CSS selector engine for Beautiful Soup 4) allocates unbounded memory when compiling large comma-separated selector lists. An attacker who can supply a crafted CSS selector string to soupsieve.compile() or Beautiful Soup's .select() / .select_one() can cause the application to allocate hundreds of megabytes of heap memory from a relatively small input, leading to memory exhaustion and denial of service.
To be completely transparent, AI tools helped surface this issue. However, it was independently reproduced and carefully validated. Researchers follow responsible disclosure practices and originally shared this report privately.
A 500 KB selector string triggers allocation of approximately 244 MB of heap memory - a 488x- amplification ratio**.
Details
Affected code: soupsieve/css_parser.py, lines ~204, 925, 1106
The soupsieve CSS parser splits comma-separated selector lists and creates one CSSSelector object per list item. Each CSSSelector object contains parsed selector data structures including SelectorList, Selector, and associated tag/attribute/pseudo-class metadata.
When a selector string such as a,a,a,... (with 250,000 comma-separated items) is passed to sv.compile(), the parser:
- Tokenises the entire string and identifies each comma-delimited segment (line ~1106)
- Parses each segment into a full
Selectorobject with all associated metadata (line ~925) - Stores all parsed selectors in a
SelectorList(line ~204)
Root cause: No limit is enforced on the number of selectors in a comma-separated list. The parser will attempt to parse and store an arbitrary number of selectors, with each selector object consuming approximately 976 bytes of heap memory. The total allocation scales linearly with the number of list items, but the amplification ratio (output memory / input bytes) is extremely high because each single-character selector like a expands into a complex object graph.
Attack surface: Any application that passes user-supplied CSS selectors to soupsieve.compile() or Beautiful Soup's .select() / .select_one().
Proof of Concept
import tracemalloc
import soupsieve as sv
tracemalloc.start()
# Build a 500 KB selector string: "a,a,a,...,a" (250,000 items)
count = 250_000
selector = ",".join("a" for _ in range(count))
print(f"Selector string size: {len(selector):,} bytes ({len(selector) / 1024:.0f} KB)")
# Compile the selector — this allocates ~244 MB
compiled = sv.compile(selector)
current, peak = tracemalloc.get_traced_memory()
tracemalloc.stop()
print(f"Compiled selector count: {len(compiled.selectors):,}")
print(f"Current memory: {current / 1024 / 1024:.1f} MB")
print(f"Peak memory: {peak / 1024 / 1024:.1f} MB")
print(f"Amplification ratio: {peak / len(selector):.0f}x")
# Expected output:
# Selector string size: 499,999 bytes (488 KB)
# Compiled selector count: 250,000
# Current memory: ~244 MB
# Peak memory: ~244 MB
# Amplification ratio: ~488xImpact
Severity: High
An attacker can exhaust available memory on any server-side Python application that compiles user-supplied CSS selectors via soupsieve. This can cause:
- OOM kills in containerised deployments (Kubernetes pods, Docker containers) with memory limits
- Swap thrashing on bare-metal servers, degrading performance for all co-located processes
- Process termination via Python's
MemoryErrorexception if the system runs out of addressable memory
| Parameter | Value |
|---|---|
| Input size | ~500 KB selector string |
| Memory allocated | ~244 MB |
| Amplification ratio | ~488Ã- |
| Per-object overhead | ~976 bytes per selector |
| Authentication required | None |
| User interaction required | None |
Scalability of attack: The memory allocation scales linearly - doubling the selector count doubles memory usage. An attacker can tune the payload to exactly exhaust a target's memory limits. Multiple concurrent requests multiply the effect.
Downstream exposure: soupsieve is an automatic dependency of beautifulsoup4, one of the most widely installed Python packages. Any web application accepting CSS selectors from users (e.g., web scraping APIs, content filtering tools, CMS preview features) is potentially affected.
---
Credit
Discovered by a security research team from the University of Sydney, focused on detecting open source software vulnerabilities. Liyi Zhou: https://lzhou1110.github.io/ Ziyue Wang: https://zyy0530.github.io/ Strick: https://str1ckl4nd.github.io/ Maurice: https://maurice.busystar.org/ Chenchen Yu: https://7thparkk.github.io/
Articles & Coverage 2
AnalysisAI
Memory-exhaustion denial of service in soupsieve, the CSS selector engine bundled with Beautiful Soup 4 (beautifulsoup4), lets remote unauthenticated attackers crash Python services by submitting a large comma-separated CSS selector to soupsieve.compile() or Beautiful Soup's .select()/.select_one(). Each comma-delimited item is parsed into a ~976-byte object graph with no cap on list length, so a ~500 KB selector string of 'a,a,a,...' expands to roughly 244 MB of heap (a ~488x amplification), triggering OOM kills or MemoryError. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application pass attacker-controlled CSS selector strings into soupsieve.compile() or Beautiful Soup's .select()/.select_one() - the concrete precondition is a user-facing feature that accepts a selector (web scraping APIs, content filtering, CMS preview). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5, High) captures a pure availability impact reachable over the network with low complexity and no authentication or user interaction - consistent with the DoS-only nature of the flaw (C:N/I:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targets a web-scraping or content-filtering API that lets users specify a CSS selector, and submits a ~500 KB payload of 250,000 comma-separated 'a' selectors; when the service calls soupsieve.compile() (directly or via Beautiful Soup's .select()), it allocates ~244 MB of heap, and a few concurrent requests exhaust the container's memory limit and trigger an OOM kill. The published proof-of-concept demonstrates the ~488x amplification exactly, and the network attack vector with low complexity and no authentication (AV:N/AC:L/PR:N) makes this trivial to script and repeat. |
| Remediation | No vendor-released patch version was identified in the available data - upgrade to the fixed soupsieve release once published and tracked in the GitHub Security Advisory GHSA-2wc2-fm75-p42x (https://github.com/facelessuser/soupsieve/security/advisories/GHSA-2wc2-fm75-p42x); pin and update beautifulsoup4's soupsieve dependency accordingly. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all internal and third-party services that depend on Beautiful Soup 4 (check requirements.txt, setup.py, Pipfile, and package manifests). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-2wc2-fm75-p42x