GHSA-v7cf-c9rm-wm3j: Uncontrolled recursion DoS in JustHTML() via deeply nested HTML

March 17, 2026

justhtml through 1.9.1 allows denial of service via deeply nested HTML. During parsing, JustHTML.__init__() always reaches TreeBuilder.finish(), which unconditionally calls _populate_selectedcontent(). That function recursively traverses the DOM via _find_elements() / _find_element() without a depth bound, allowing attacker-controlled deeply nested input to trigger an unhandled RecursionError on CPython. Depending on the host application’s exception handling, this can abort parsing, fail requests, or terminate a worker/process.

References

github.com/EmilStenstrom/justhtml
github.com/EmilStenstrom/justhtml/releases/tag/v1.10.0
github.com/EmilStenstrom/justhtml/security/advisories/GHSA-v7cf-c9rm-wm3j
github.com/advisories/GHSA-v7cf-c9rm-wm3j

Code Behaviors & Features

Detect and mitigate GHSA-v7cf-c9rm-wm3j with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →