Description
Soup Sieve is a CSS selector library designed to be used with Beautiful Soup 4. Prior to 2.8.4, the CSS selector parser in soupsieve contains a regular expression vulnerable to catastrophic backtracking when processing an attribute selector with an unterminated quoted value in soupsieve/css_parser.py, allowing an attacker who can supply untrusted CSS selector strings to soupsieve.compile() or Beautiful Soup .select() / .select_one() to cause CPU exhaustion and denial of service. This issue is fixed in version 2.8.4.
Analysis and contextual insights are available on OpenCVE Cloud.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-836r-79rf-4m37 | Soup Sieve: Regular Expression Denial of Service (ReDoS) via Selector Parser |
References
History
Tue, 14 Jul 2026 21:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Soup Sieve is a CSS selector library designed to be used with Beautiful Soup 4. Prior to 2.8.4, the CSS selector parser in soupsieve contains a regular expression vulnerable to catastrophic backtracking when processing an attribute selector with an unterminated quoted value in soupsieve/css_parser.py, allowing an attacker who can supply untrusted CSS selector strings to soupsieve.compile() or Beautiful Soup .select() / .select_one() to cause CPU exhaustion and denial of service. This issue is fixed in version 2.8.4. | |
| Title | Soup Sieve: Regular Expression Denial of Service (ReDoS) in soupsieve Selector Parser | |
| Weaknesses | CWE-1333 CWE-400 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-14T20:51:29.369Z
Reserved: 2026-05-30T04:17:43.095Z
Link: CVE-2026-49477
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Github GHSA