Uncontrolled Recursion Affecting justhtml package, versions [,1.10.0)

Q: How to fix?

Upgrade justhtml to version 1.10.0 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-PYTHON-JUSTHTML-15758895
published23 Mar 2026
disclosed17 Mar 2026
creditkq5y

Report a new vulnerability Found a mistake?

Introduced: 17 Mar 2026

NewCWE-674 (opens in a new tab)

How to fix?

Upgrade justhtml to version 1.10.0 or higher.

Overview

justhtml is an A pure Python HTML5 parser that just works.

Affected versions of this package are vulnerable to Uncontrolled Recursion in the construction, when parsing deeply nested HTML structures. An attacker can cause the application to terminate unexpectedly or fail requests by supplying HTML input with excessive nesting, which triggers unbounded recursion and results in an unhandled RecursionError.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
Passive

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None