Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/841962?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/841962?format=api", "purl": "pkg:pypi/scrapy@2.13.0", "type": "pypi", "namespace": "", "name": "scrapy", "version": "2.13.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.14.2", "latest_non_vulnerable_version": "2.14.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23766?format=api", "vulnerability_id": "VCID-1k4b-pr5k-s7e5", "summary": "Scrapy: Arbitrary Module Import via Referrer-Policy Header in RefererMiddleware\n### Impact\n\nSince version 1.4.0, Scrapy respects the `Referrer-Policy` response header to decide whether and how to set a `Referer` header on follow-up requests.\n\nIf the header value looked like a valid Python import path, Scrapy would import the referenced object and call it, assuming it referred to a referrer policy class (for example, `scrapy.spidermiddlewares.referer.DefaultReferrerPolicy`) and attempting to instantiate it to handle the `Referer` header.\n\nA malicious site could exploit this by setting `Referrer-Policy` to a path such as `sys.exit`, causing Scrapy to import and execute it and potentially terminate the process.\n\n### Patches\n\nUpgrade to Scrapy 2.14.2 (or later).\n\n### Workarounds\n\nIf you cannot upgrade to Scrapy 2.14.2, consider the following mitigations.\n\n- **Disable the middleware:** If you don't need the `Referer` header on follow-up requests, set [`REFERER_ENABLED`](https://docs.scrapy.org/en/latest/topics/spider-middleware.html#referer-enabled) to `False`.\n- **Set headers manually:** If you do need a `Referer`, disable the middleware and set the header explicitly on the requests that require it.\n- **Set `referrer_policy` in request metadata:** If disabling the middleware is not viable, set the [`referrer_policy`](https://docs.scrapy.org/en/latest/topics/spider-middleware.html#referrer-policy) request meta key on all requests to prevent evaluating preceding responses' `Referrer-Policy`. For example:\n\n```python\nRequest(\n url,\n meta={\n \"referrer_policy\": \"scrapy.spidermiddlewares.referer.DefaultReferrerPolicy\",\n },\n)\n```\n\nInstead of editing requests individually, you can:\n\n- implement a custom [spider middleware](https://docs.scrapy.org/en/latest/topics/spider-middleware.html) that runs before the built-in referrer policy middleware and sets the `referrer_policy` meta key; or\n- set the meta key in start requests and use the [scrapy-sticky-meta-params](https://github.com/heylouiz/scrapy-sticky-meta-params) plugin to propagate it to follow-up requests.\n\nIf you want to continue respecting legitimate `Referrer-Policy` headers while protecting against malicious ones, disable the built-in referrer policy middleware by setting it to `None` in [`SPIDER_MIDDLEWARES`](https://docs.scrapy.org/en/latest/topics/settings.html#std-setting-SPIDER_MIDDLEWARES) and replace it with the fixed implementation from Scrapy 2.14.2.\n\nIf the Scrapy 2.14.2 implementation is incompatible with your project (for example, because your Scrapy version is older), copy the corresponding middleware from your Scrapy version, apply the same patch, and use that as a replacement.", "references": [ { "reference_url": "https://github.com/scrapy/scrapy", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy" }, { "reference_url": "https://github.com/scrapy/scrapy/commit/945b787a263586cb5803c01c6da57daad8997ae5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/commit/945b787a263586cb5803c01c6da57daad8997ae5" }, { "reference_url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-cwxj-rr6w-m6w7", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-cwxj-rr6w-m6w7" }, { "reference_url": "https://github.com/advisories/GHSA-cwxj-rr6w-m6w7", "reference_id": "GHSA-cwxj-rr6w-m6w7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cwxj-rr6w-m6w7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66774?format=api", "purl": "pkg:pypi/scrapy@2.14.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.14.2" } ], "aliases": [ "GHSA-cwxj-rr6w-m6w7" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1k4b-pr5k-s7e5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22199?format=api", "vulnerability_id": "VCID-dc1m-rt7j-w3af", "summary": "Scrapy is vulnerable to a denial of service (DoS) attack due to flaws in brotli decompression implementation\nScrapy versions up to 2.13.3 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression. Mitigation for this vulnerability needs security enhancement added in brotli v1.2.0.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6176.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6176.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6176", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08092", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08068", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08008", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08047", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09633", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09719", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09762", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09605", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09795", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09763", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09747", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11087", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6176" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6176", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6176" }, { "reference_url": "https://github.com/google/brotli", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/google/brotli" }, { "reference_url": "https://github.com/google/brotli/commit/67d78bc41db1a0d03f2e763497748f2f69946627", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/google/brotli/commit/67d78bc41db1a0d03f2e763497748f2f69946627" }, { "reference_url": "https://github.com/google/brotli/issues/1327", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/google/brotli/issues/1327" }, { "reference_url": "https://github.com/google/brotli/issues/1375", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/google/brotli/issues/1375" }, { "reference_url": "https://github.com/google/brotli/pull/1234", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/google/brotli/pull/1234" }, { "reference_url": "https://github.com/google/brotli/releases/tag/v1.2.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/google/brotli/releases/tag/v1.2.0" }, { "reference_url": "https://github.com/scrapy/scrapy/commit/14737e91edc513967f516fc839cc9c8a4f8d91da", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/commit/14737e91edc513967f516fc839cc9c8a4f8d91da" }, { "reference_url": "https://github.com/scrapy/scrapy/pull/7134", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/pull/7134" }, { "reference_url": "https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-31T16:15:58Z/" } ], "url": "https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2408762", "reference_id": "2408762", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2408762" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6176", "reference_id": "CVE-2025-6176", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6176" }, { "reference_url": "https://github.com/advisories/GHSA-2qfp-q593-8484", "reference_id": "GHSA-2qfp-q593-8484", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2qfp-q593-8484" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:0008", "reference_id": "RHSA-2026:0008", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:0008" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:0845", "reference_id": "RHSA-2026:0845", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:0845" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2042", "reference_id": "RHSA-2026:2042", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2042" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2226", "reference_id": "RHSA-2026:2226", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2226" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2227", "reference_id": "RHSA-2026:2227", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2227" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2228", "reference_id": "RHSA-2026:2228", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2228" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2229", "reference_id": "RHSA-2026:2229", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2229" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2389", "reference_id": "RHSA-2026:2389", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2389" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2399", "reference_id": "RHSA-2026:2399", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2399" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2400", "reference_id": "RHSA-2026:2400", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2400" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2401", "reference_id": "RHSA-2026:2401", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2401" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2455", "reference_id": "RHSA-2026:2455", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2455" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2737", "reference_id": "RHSA-2026:2737", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2737" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2800", "reference_id": "RHSA-2026:2800", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2800" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2844", "reference_id": "RHSA-2026:2844", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2844" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2974", "reference_id": "RHSA-2026:2974", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2974" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2976", "reference_id": "RHSA-2026:2976", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2976" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3392", "reference_id": "RHSA-2026:3392", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3392" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3406", "reference_id": "RHSA-2026:3406", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3406" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3415", "reference_id": "RHSA-2026:3415", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3415" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3417", "reference_id": "RHSA-2026:3417", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3417" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3861", "reference_id": "RHSA-2026:3861", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3861" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4419", "reference_id": "RHSA-2026:4419", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4419" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4465", "reference_id": "RHSA-2026:4465", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4465" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64781?format=api", "purl": "pkg:pypi/scrapy@2.13.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.13.4" } ], "aliases": [ "CVE-2025-6176", "GHSA-2qfp-q593-8484" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dc1m-rt7j-w3af" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.13.0" }