⬆️ Updates soupsieve to v2.8.4 [SECURITY]#3566
Conversation
Branch automerge failureThis PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.
|
|
Dependency limit exceeded — report not shown. This pull request scan exceeded the 10,000-dependency limit applied to this scan, so the results are incomplete and may be inaccurate. To avoid reporting false positives, Socket has not posted a report. Upgrade your plan to raise the dependency limit and get complete reports, or view the partial scan in the dashboard. Socket is always free for open source. If this is a non-commercial open source project, contact us to request a free Team account. |
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
e944e2d to
5a37a50
Compare
There was a problem hiding this comment.
Scan Summary
| Tool | Critical | High | Medium | Low | Status |
|---|---|---|---|---|---|
| Dependency Scan (universal) | 2 | 9 | 5 | 0 | ❌ |
| Secrets Audit | 0 | 5 | 0 | 0 | ❌ |
| Kotlin Security Audit | 0 | 0 | 0 | 0 | ✅ |
| Security Audit for Infrastructure | 14 | 92 | 8 | 32 | ❌ |
| Shell Script Analysis | 0 | 0 | 0 | 195 | ✅ |
| Kotlin Static Analysis | 0 | 0 | 0 | 0 | ✅ |
| Python Source Analyzer | 0 | 0 | 0 | 0 | ✅ |
Recommendation
Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍
This PR contains the following updates:
==2.3.2.post1→==2.8.4Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Soup Sieve: Regular Expression Denial of Service (ReDoS) via Selector Parser
CVE-2026-49477 / GHSA-836r-79rf-4m37
More information
Details
Summary
The CSS selector parser in soupsieve (the CSS selector engine for Beautiful Soup 4) contains a regular expression vulnerable to catastrophic backtracking. When processing an attribute selector with an unterminated quoted value, the
VALUEregex pattern incss_parser.pyenters exponential backtracking. A payload of only 300 bytes causes the regex engine to hang for over 3 seconds, enabling a trivial Regular Expression Denial of Service (ReDoS) attack.To be completely transparent, AI tools helped surface this issue. However, this was independently reproduced and carefully validated.
Any application that passes untrusted CSS selector strings to
soupsieve.compile()or Beautiful Soup's.select()/.select_one()is affected.Details
Affected code:
soupsieve/css_parser.py, line ~121 -RE_VALUES/VALUEregex patternThe soupsieve CSS parser uses a compiled regular expression to tokenise attribute selector values. This pattern matches both quoted strings (
"value"or'value') and unquoted identifiers. The regex contains alternation branches for:"[^"\\]*(?:\\.[^"\\]*)*"'[^'\\]*(?:\\.[^'\\]*)*'When an attribute selector contains an unterminated quoted value - e.g.,
[a="xxxx...(opening"but no closing") -” the regex engine attempts to match the quoted-string branch. After that branch fails (no closing quote), the engine backtracks and attempts to match the remaining input against subsequent alternation branches and parent patterns. The structure of the pattern causes catastrophic backtracking where the number of backtracking steps grows exponentially with the length of the content between the opening quote and the end of the string.Root cause: The regex pattern does not anchor or guard against the case where a quoted string is never terminated. The overlapping character classes across alternation branches create exponential backtracking when the quoted-string branch fails on long input.
Key characteristics:
Proof of Concept
Safe testing variant with timeout:
Impact
Severity: High
An attacker can cause CPU exhaustion on any server-side Python application that compiles user-supplied CSS selectors via soupsieve. The attack is particularly dangerous because:
[a="xxx...)Deployment impact: In threaded or async web applications, a single malicious request blocks a worker thread for the duration of the backtracking. An attacker can submit multiple concurrent requests to exhaust all available workers, causing complete service denial. The small payload size makes the attack easy to deliver and difficult to detect via request size limits.
Downstream exposure: soupsieve is an automatic dependency of
beautifulsoup4, one of the most widely installed Python packages. Any web application, API, or service that accepts CSS selectors from users is potentially affected.Credit
The vulnerability was discovered by a security research team from the University of Sydney, whose focus is detecting open source software vulnerabilities.
Liyi Zhou: https://lzhou1110.github.io/
Ziyue Wang: https://zyy0530.github.io/
Strick: https://str1ckl4nd.github.io/
Maurice: https://maurice.busystar.org/
Chenchen Yu: https://7thparkk.github.io/
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
facelessuser/soupsieve (soupsieve)
v2.8.4Compare Source
2.8.4
v2.8.3Compare Source
2.8.3
v2.8.2Compare Source
2.8.2
:in-rangeand:out-of-rangewith end of year weeks (@mundanevision20).v2.8.1Compare Source
2.8.1
v2.8Compare Source
2.8
v2.7Compare Source
2.7
:openpseudo selector.:mutedpseudo selector.:autofill,:buffering,:fullscreen,:picture-in-picture,:popover-open,:seeking,:stalled, and:volume-locked. These selectors, while recognized, will not match anyelement as they require a live environment to check element states and browser states. This just prevents Soup Sieve
from failing when any of these selectors are specified.
v2.6Compare Source
2.6
&as scoping root per the CSS Nesting Module, Level 1. When&is used outside thecontext of nesting, it is treated as the scoping root (equivalent to
:scope).v2.5Compare Source
2.5
v2.4.1Compare Source
2.4.1
v2.4Compare Source
2.4
:lang()in the official CSS spec.:lang("")should match unspecifiedlanguages, e.g.
lang="", but notlang=und.:is()and:where()should allow forgiving selector lists according to latest CSS (as far as SoupSieve supports "forgiving" which is limited to empty selectors).
Configuration
📅 Schedule: (in timezone Europe/Moscow)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.