Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/scrapy@2
Typepypi
Namespace
Namescrapy
Version2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.14.2
Latest_non_vulnerable_version2.14.2
Affected_by_vulnerabilities
0
url VCID-64nx-aruy-q7gy
vulnerability_id VCID-64nx-aruy-q7gy
summary A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-1892
reference_id
reference_type
scores
0
value 0.00058
scoring_system epss
scoring_elements 0.18213
published_at 2026-04-12T12:55:00Z
1
value 0.00058
scoring_system epss
scoring_elements 0.1815
published_at 2026-04-21T12:55:00Z
2
value 0.00058
scoring_system epss
scoring_elements 0.18106
published_at 2026-04-16T12:55:00Z
3
value 0.00058
scoring_system epss
scoring_elements 0.18161
published_at 2026-04-13T12:55:00Z
4
value 0.00058
scoring_system epss
scoring_elements 0.1836
published_at 2026-04-02T12:55:00Z
5
value 0.00058
scoring_system epss
scoring_elements 0.18415
published_at 2026-04-04T12:55:00Z
6
value 0.00058
scoring_system epss
scoring_elements 0.18118
published_at 2026-04-18T12:55:00Z
7
value 0.00058
scoring_system epss
scoring_elements 0.18203
published_at 2026-04-08T12:55:00Z
8
value 0.00058
scoring_system epss
scoring_elements 0.18257
published_at 2026-04-09T12:55:00Z
9
value 0.00058
scoring_system epss
scoring_elements 0.18259
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-1892
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1892
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1892
2
reference_url https://docs.scrapy.org/en/latest/news.html#scrapy-1-8-4-2024-02-14
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://docs.scrapy.org/en/latest/news.html#scrapy-1-8-4-2024-02-14
3
reference_url https://docs.scrapy.org/en/latest/news.html#scrapy-2-11-1-2024-02-14
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://docs.scrapy.org/en/latest/news.html#scrapy-2-11-1-2024-02-14
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/scrapy/PYSEC-2024-162.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/scrapy/PYSEC-2024-162.yaml
5
reference_url https://github.com/scrapy/scrapy
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/scrapy/scrapy
6
reference_url https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
2
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T16:44:39Z/
url https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5
7
reference_url https://github.com/scrapy/scrapy/commit/73e7c0ed011a0565a1584b8052ec757b54e5270b
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/scrapy/scrapy/commit/73e7c0ed011a0565a1584b8052ec757b54e5270b
8
reference_url https://github.com/scrapy/scrapy/security/advisories/GHSA-cc65-xxvf-f7r9
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/scrapy/scrapy/security/advisories/GHSA-cc65-xxvf-f7r9
9
reference_url https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
2
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T16:44:39Z/
url https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065111
reference_id 1065111
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065111
11
reference_url https://github.com/advisories/GHSA-cc65-xxvf-f7r9
reference_id GHSA-cc65-xxvf-f7r9
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cc65-xxvf-f7r9
12
reference_url https://usn.ubuntu.com/7476-1/
reference_id USN-7476-1
reference_type
scores
url https://usn.ubuntu.com/7476-1/
fixed_packages
0
url pkg:pypi/scrapy@2.11.1
purl pkg:pypi/scrapy@2.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1k4b-pr5k-s7e5
1
vulnerability VCID-dc1m-rt7j-w3af
2
vulnerability VCID-nekz-z7zw-mfgz
3
vulnerability VCID-t5cn-a543-nyag
4
vulnerability VCID-urb1-hv1z-duga
5
vulnerability VCID-veaw-n6vt-zfgu
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.11.1
aliases CVE-2024-1892, GHSA-cc65-xxvf-f7r9, GMS-2024-287, PYSEC-2024-162
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-64nx-aruy-q7gy
1
url VCID-8wu8-qh8m-7ubm
vulnerability_id VCID-8wu8-qh8m-7ubm
summary 
Duplicate Advisory: ReDos vulnerability of XMLFeedSpider
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-cc65-xxvf-f7r9. This link is maintained to preserve external references.

## Original Description
Parts of the Scrapy API were found to be vulnerable to a ReDoS attack. Handling a malicious response could cause extreme CPU and memory usage during the parsing of its content, due to the use of vulnerable regular expressions for that parsing.
references
0
reference_url https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5
1
reference_url https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-1892
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-1892
3
reference_url https://github.com/advisories/GHSA-7c9g-vj9m-8pm6
reference_id GHSA-7c9g-vj9m-8pm6
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7c9g-vj9m-8pm6
fixed_packages
0
url pkg:pypi/scrapy@2.11.1
purl pkg:pypi/scrapy@2.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1k4b-pr5k-s7e5
1
vulnerability VCID-dc1m-rt7j-w3af
2
vulnerability VCID-nekz-z7zw-mfgz
3
vulnerability VCID-t5cn-a543-nyag
4
vulnerability VCID-urb1-hv1z-duga
5
vulnerability VCID-veaw-n6vt-zfgu
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.11.1
aliases GHSA-7c9g-vj9m-8pm6
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8wu8-qh8m-7ubm
2
url VCID-kgf5-wu3r-pqc6
vulnerability_id VCID-kgf5-wu3r-pqc6
summary 
Scrapy authorization header leakage on cross-domain redirect
### Impact

When you send a request with the `Authorization` header to one domain, and the response asks to redirect to a different domain, Scrapy’s built-in redirect middleware creates a follow-up redirect request that keeps the original `Authorization` header, leaking its content to that second domain.

The [right behavior](https://fetch.spec.whatwg.org/#ref-for-cors-non-wildcard-request-header-name) would be to drop the `Authorization` header instead, in this scenario.

### Patches

Upgrade to Scrapy 2.11.1.

If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead.

### Workarounds

If you cannot upgrade, make sure that you are not using the `Authentication` header, either directly or through some third-party plugin.

If you need to use that header in some requests, add `"dont_redirect": True` to the `request.meta` dictionary of those requests to disable following redirects for them.

If you need to keep (same domain) redirect support on those requests, make sure you trust the target website not to redirect your requests to a different domain.

### Acknowledgements

This security issue was reported by @ranjit-git  [through huntr.com](https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9/).
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-3574
reference_id
reference_type
scores
0
value 0.00121
scoring_system epss
scoring_elements 0.31206
published_at 2026-04-16T12:55:00Z
1
value 0.00121
scoring_system epss
scoring_elements 0.31157
published_at 2026-04-21T12:55:00Z
2
value 0.00121
scoring_system epss
scoring_elements 0.31187
published_at 2026-04-18T12:55:00Z
3
value 0.00121
scoring_system epss
scoring_elements 0.31311
published_at 2026-04-02T12:55:00Z
4
value 0.00121
scoring_system epss
scoring_elements 0.31352
published_at 2026-04-04T12:55:00Z
5
value 0.00121
scoring_system epss
scoring_elements 0.31172
published_at 2026-04-13T12:55:00Z
6
value 0.00121
scoring_system epss
scoring_elements 0.31225
published_at 2026-04-08T12:55:00Z
7
value 0.00121
scoring_system epss
scoring_elements 0.31255
published_at 2026-04-09T12:55:00Z
8
value 0.00121
scoring_system epss
scoring_elements 0.31259
published_at 2026-04-11T12:55:00Z
9
value 0.00121
scoring_system epss
scoring_elements 0.31216
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-3574
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3574
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3574
2
reference_url https://github.com/scrapy/scrapy
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/scrapy/scrapy
3
reference_url https://github.com/scrapy/scrapy/commit/ee7bd9d217fc126063575d5649f00bdeeca2faae
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/scrapy/scrapy/commit/ee7bd9d217fc126063575d5649f00bdeeca2faae
4
reference_url https://github.com/scrapy/scrapy/security/advisories/GHSA-cw9j-q3vf-hrrv
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/scrapy/scrapy/security/advisories/GHSA-cw9j-q3vf-hrrv
5
reference_url https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-18T15:23:27Z/
url https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-3574
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-3574
7
reference_url https://usn.ubuntu.com/7476-1/
reference_id USN-7476-1
reference_type
scores
url https://usn.ubuntu.com/7476-1/
fixed_packages
0
url pkg:pypi/scrapy@2.11.1
purl pkg:pypi/scrapy@2.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1k4b-pr5k-s7e5
1
vulnerability VCID-dc1m-rt7j-w3af
2
vulnerability VCID-nekz-z7zw-mfgz
3
vulnerability VCID-t5cn-a543-nyag
4
vulnerability VCID-urb1-hv1z-duga
5
vulnerability VCID-veaw-n6vt-zfgu
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.11.1
aliases CVE-2024-3574, GHSA-cw9j-q3vf-hrrv, GMS-2024-288
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kgf5-wu3r-pqc6
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2