Listen to this Post
How the mentioned CVE works (around 20 lines):
The vulnerabilities in justhtml <1.18.0 stem from inefficient algorithmic complexity and uncontrolled resource consumption in two areas. First, CSS selector handling: attacker‑controlled selector strings can trigger exponential CPU/memory usage through oversized selectors (e.g., 10,000+ characters), large selector lists (e.g., 50,000 simple selectors chained with commas), deeply nested functional pseudo‑classes like :not(:not(:not(...))), long combinator chains (e.g., `div > div > div …` repeated 500 times), and repeated attribute/class token matching against large values. The `:contains(text)` pseudo‑class scans large descendant text repeatedly. Malformed DOM graphs with cyclic child/parent references cause non‑terminating traversal in selector paths. Second, linkification: attacker‑controlled text containing punctuation‑heavy input (e.g., 50,000 parentheses) or URLs ending with long unmatched closing brackets (e.g., ]]]]]]]]…) forces repeated rescans, consuming disproportionate CPU. These are low‑severity DoS issues – they do not enable script execution, data disclosure, or sanitizer bypass. Attackers need to supply selectors to query()/matches() or enable `Linkify()` on untrusted text. Default sanitization (sanitize=True) does not expose selectors to untrusted users.
dailycve form:
Platform: justhtml
Version: <1.18.0
Vulnerability: DoS via selectors/linkify
Severity: Low
date: 2026-05-04
Prediction: Already patched
What Undercode Say:
Check vulnerable version
pip show justhtml | grep Version
Test oversized selector (CPU exhaustion)
python -c "from justhtml import parse; doc=parse('
<div></div>
'); selector=':not('5000+':empty)'; doc.query(selector)"
Test cyclic DOM graph (non-terminating traversal)
python -c "from justhtml import parse, Element; root=Element('div'); child=Element('span'); root.append(child); child.append(root); doc=parse(str(root)); doc.query('div span')"
Test linkification with bracket storm
python -c "from justhtml import Linkify; text='https://example.com' + ']'50000; Linkify().linkify(text)"
Upgrade to patched version
pip install --upgrade justhtml==1.18.0
Exploit:
- Provide a selector `:contains(‘A’1000000)` over a document with large text nodes → memory exhaustion.
- Submit selector list with 100,000 entries (e.g., `div,span,p,a,ul,li,…` repeated) to `query()` → CPU spike.
- Craft DOM with cyclic parent pointers (child’s parent points to child) then run “ selector → infinite loop.
- Send punctuation‑heavy text (10,000 parentheses) to `Linkify()` → repeated rescanning, high CPU.
Protection from this CVE:
- Upgrade to justhtml 1.18.0 immediately.
- If upgrade impossible: never pass untrusted selector strings to
query(),matches(), or selector‑based transforms. - Limit untrusted document size (e.g., reject >1MB HTML) before selector matching or linkification.
- Avoid constructing DOM graphs from untrusted data; validate no cycles.
- Disable `Linkify()` on large attacker‑controlled text, or set a low character limit (e.g., 10,000 chars).
- Use resource limits (ulimit, CPU timeouts) for processes handling untrusted input.
Impact:
- Availability only – crash or unresponsiveness of the application due to CPU/memory exhaustion.
- No code execution, no data theft, no sanitizer bypass.
- Severity low, but can be chained with other flaws in a pipeline (e.g., a selector injection that also leads to DoS).
- Typical impact: web crawlers, HTML sanitization services, user‑facing query interfaces.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
