Skip to main content

soupsieve CVE-2026-49476

HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-07-09 https://github.com/facelessuser/soupsieve GHSA-2wc2-fm75-p42x
7.5
CVSS 3.1 · Vendor: https://github.com/facelessuser/soupsieve
Share

Severity by source

Vendor (https://github.com/facelessuser/soupsieve) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable, low-complexity, unauthenticated selector input with no user interaction yields availability-only impact (A:H, C:N/I:N); scope unchanged as only the parsing process is affected.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/facelessuser/soupsieve).

CVSS VectorVendor: https://github.com/facelessuser/soupsieve

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 14:22 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 32,248 pypi packages depend on soupsieve (238 direct, 32,079 indirect)

Ecosystem-wide dependent count for version 2.8.4.

DescriptionCVE.org

Summary

The CSS selector parser in soupsieve (the CSS selector engine for Beautiful Soup 4) allocates unbounded memory when compiling large comma-separated selector lists. An attacker who can supply a crafted CSS selector string to soupsieve.compile() or Beautiful Soup's .select() / .select_one() can cause the application to allocate hundreds of megabytes of heap memory from a relatively small input, leading to memory exhaustion and denial of service.

To be completely transparent, AI tools helped surface this issue. However, it was independently reproduced and carefully validated. Researchers follow responsible disclosure practices and originally shared this report privately.

A 500 KB selector string triggers allocation of approximately 244 MB of heap memory - a 488x- amplification ratio**.

Details

Affected code: soupsieve/css_parser.py, lines ~204, 925, 1106

The soupsieve CSS parser splits comma-separated selector lists and creates one CSSSelector object per list item. Each CSSSelector object contains parsed selector data structures including SelectorList, Selector, and associated tag/attribute/pseudo-class metadata.

When a selector string such as a,a,a,... (with 250,000 comma-separated items) is passed to sv.compile(), the parser:

  1. Tokenises the entire string and identifies each comma-delimited segment (line ~1106)
  2. Parses each segment into a full Selector object with all associated metadata (line ~925)
  3. Stores all parsed selectors in a SelectorList (line ~204)

Root cause: No limit is enforced on the number of selectors in a comma-separated list. The parser will attempt to parse and store an arbitrary number of selectors, with each selector object consuming approximately 976 bytes of heap memory. The total allocation scales linearly with the number of list items, but the amplification ratio (output memory / input bytes) is extremely high because each single-character selector like a expands into a complex object graph.

Attack surface: Any application that passes user-supplied CSS selectors to soupsieve.compile() or Beautiful Soup's .select() / .select_one().

Proof of Concept

python
import tracemalloc
import soupsieve as sv

tracemalloc.start()
# Build a 500 KB selector string: "a,a,a,...,a" (250,000 items)
count = 250_000
selector = ",".join("a" for _ in range(count))
print(f"Selector string size: {len(selector):,} bytes ({len(selector) / 1024:.0f} KB)")
# Compile the selector — this allocates ~244 MB
compiled = sv.compile(selector)

current, peak = tracemalloc.get_traced_memory()
tracemalloc.stop()

print(f"Compiled selector count: {len(compiled.selectors):,}")
print(f"Current memory: {current / 1024 / 1024:.1f} MB")
print(f"Peak memory: {peak / 1024 / 1024:.1f} MB")
print(f"Amplification ratio: {peak / len(selector):.0f}x")
# Expected output:
# Selector string size: 499,999 bytes (488 KB)
# Compiled selector count: 250,000
# Current memory: ~244 MB
# Peak memory: ~244 MB
# Amplification ratio: ~488x

Impact

Severity: High

An attacker can exhaust available memory on any server-side Python application that compiles user-supplied CSS selectors via soupsieve. This can cause:

  • OOM kills in containerised deployments (Kubernetes pods, Docker containers) with memory limits
  • Swap thrashing on bare-metal servers, degrading performance for all co-located processes
  • Process termination via Python's MemoryError exception if the system runs out of addressable memory
ParameterValue
Input size~500 KB selector string
Memory allocated~244 MB
Amplification ratio~488Ã-
Per-object overhead~976 bytes per selector
Authentication requiredNone
User interaction requiredNone

Scalability of attack: The memory allocation scales linearly - doubling the selector count doubles memory usage. An attacker can tune the payload to exactly exhaust a target's memory limits. Multiple concurrent requests multiply the effect.

Downstream exposure: soupsieve is an automatic dependency of beautifulsoup4, one of the most widely installed Python packages. Any web application accepting CSS selectors from users (e.g., web scraping APIs, content filtering tools, CMS preview features) is potentially affected.

---

Credit

Discovered by a security research team from the University of Sydney, focused on detecting open source software vulnerabilities. Liyi Zhou: https://lzhou1110.github.io/ Ziyue Wang: https://zyy0530.github.io/ Strick: https://str1ckl4nd.github.io/ Maurice: https://maurice.busystar.org/ Chenchen Yu: https://7thparkk.github.io/

AnalysisAI

Memory-exhaustion denial of service in soupsieve, the CSS selector engine bundled with Beautiful Soup 4 (beautifulsoup4), lets remote unauthenticated attackers crash Python services by submitting a large comma-separated CSS selector to soupsieve.compile() or Beautiful Soup's .select()/.select_one(). Each comma-delimited item is parsed into a ~976-byte object graph with no cap on list length, so a ~500 KB selector string of 'a,a,a,...' expands to roughly 244 MB of heap (a ~488x amplification), triggering OOM kills or MemoryError. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify endpoint accepting user CSS selectors
Delivery
Craft ~500 KB comma-separated selector list
Exploit
Submit to trigger soupsieve.compile()
Execution
Parser allocates ~244 MB object graph
Persist
Repeat concurrently to exhaust memory
Impact
OOM kill / MemoryError denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application pass attacker-controlled CSS selector strings into soupsieve.compile() or Beautiful Soup's .select()/.select_one() - the concrete precondition is a user-facing feature that accepts a selector (web scraping APIs, content filtering, CMS preview). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5, High) captures a pure availability impact reachable over the network with low complexity and no authentication or user interaction - consistent with the DoS-only nature of the flaw (C:N/I:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targets a web-scraping or content-filtering API that lets users specify a CSS selector, and submits a ~500 KB payload of 250,000 comma-separated 'a' selectors; when the service calls soupsieve.compile() (directly or via Beautiful Soup's .select()), it allocates ~244 MB of heap, and a few concurrent requests exhaust the container's memory limit and trigger an OOM kill. The published proof-of-concept demonstrates the ~488x amplification exactly, and the network attack vector with low complexity and no authentication (AV:N/AC:L/PR:N) makes this trivial to script and repeat.
Remediation No vendor-released patch version was identified in the available data - upgrade to the fixed soupsieve release once published and tracked in the GitHub Security Advisory GHSA-2wc2-fm75-p42x (https://github.com/facelessuser/soupsieve/security/advisories/GHSA-2wc2-fm75-p42x); pin and update beautifulsoup4's soupsieve dependency accordingly. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all internal and third-party services that depend on Beautiful Soup 4 (check requirements.txt, setup.py, Pipfile, and package manifests). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-49476 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy