PT-2026-41810 · Pypi · Justhtml
Publicado
2026-05-08
·
Atualizado
2026-05-08
Nenhuma
Não há classificações de severidade ou métricas disponíveis. Quando houver, atualizaremos as informações correspondentes na página.
Summary
justhtml 1.18.0 fixes multiple low-severity denial-of-service hardening issues in CSS selector handling and linkification.These issues are availability concerns. They do not allow script execution, data disclosure, or sanitizer bypass by themselves.
Affected versions
justhtml< 1.18.0
Fixed version
justhtml1.18.0released on May 4, 2026
Impact
CSS selector handling
Applications that evaluate attacker-controlled selector strings, or that run selector-based transform pipelines over attacker-controlled documents, could consume disproportionate CPU or memory.
The affected selector patterns included oversized selectors, large selector lists, oversized compound selectors, long combinator chains, deeply nested functional pseudo-classes such as
:not(...), repeated attribute/class token matching over large values, repeated sibling or ancestor scans, repeated positional pseudo-class work, and :contains(...) over large descendant text.Programmatically constructed malformed DOM graphs could also trigger non-terminating or duplicate traversal in some selector paths, including cyclic/shared child graphs, cyclic parent chains, and cyclic text traversal for
:contains(...).Linkification
Attacker-controlled text containing punctuation-heavy input or URL candidates ending in long runs of unmatched closing brackets could cause repeated rescanning and consume disproportionate CPU when linkification was enabled.
Default configuration
Ordinary sanitization of parsed HTML with the default
JustHTML(..., sanitize=True) configuration is not expected to expose untrusted users to selector injection, because selectors are normally supplied by application code.The main risk areas are:
- applications that accept selector strings from untrusted users and pass them to
query(...),matches(...), or selector-based transforms - custom transform or sanitization pipelines that run selector matching over very large untrusted documents
- applications that construct or mutate DOM trees programmatically from untrusted structure
- applications that enable
Linkify(...)over attacker-controlled text
Fixes in 1.18.0
1.18.0 adds generalized selector resource controls and removes several repeated-work hot paths:- shared selector limits for parse and match operations
- structural caps for selector length, selector lists, compound selectors, complex selectors, and parse depth
- match-operation and string-byte budgets
- per-query matcher state for caches and cycle guards
- precomputed or cached ancestor, sibling, positional, attribute-token, text-content,
:not(...),:empty, and:nth-child(...)work - consistent enforcement across public parsing,
query(...), tag-only query fast paths, transform selector compilation, and sanitization transform matching - linkification hardening for punctuation-heavy inputs and trailing bracket trimming
CWE mapping
- CWE-400: Uncontrolled Resource Consumption
- CWE-407: Inefficient Algorithmic Complexity
- CWE-835: Loop with Unreachable Exit Condition
Recommended action
Upgrade to
justhtml 1.18.0.If users cannot upgrade immediately:
- do not pass untrusted selector strings to
query(...),matches(...), or selector-based transforms - restrict the size of untrusted documents before selector matching or linkification
- avoid constructing programmatic DOM graphs from untrusted structure
- avoid enabling
Linkify(...)on very large attacker-controlled text
Credit
Discovered during an internal security review of
justhtml.Infinite Loop
Resource Exhaustion
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Justhtml