MEDIUM 6.5
PYSEC-2024-162
Details
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / scrapy
Introduced in:
0 Fixed in: 479619b340f197a8f24c5db45bc068fb8755f2c5 Fix
pip install --upgrade 'scrapy>=479619b340f197a8f24c5db45bc068fb8755f2c5' References
- https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b [EVIDENCE]
- https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5 [FIX]
- https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b [FIX]
- https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b [REPORT]
- https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b [WEB]
- https://github.com/advisories/GHSA-cc65-xxvf-f7r9 [ADVISORY]