Search for packages
| purl | pkg:deb/debian/python-scrapy@2.4.1-2%2Bdeb11u1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-atnw-pnvj-zkhp
Aliases: CVE-2024-1892 PYSEC-2024-162 |
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive. |
Affected by 1 other vulnerability. |
|
VCID-n6z2-awrh-7kbg
Aliases: CVE-2024-1968 PYSEC-2024-258 |
In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme (e.g., HTTPS to HTTP) but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in cross-origin requests when the scheme, host, or port changes. Consequently, when a redirect downgrades from HTTPS to HTTP, the Authorization header may be inadvertently exposed in plaintext, leading to potential sensitive information disclosure to unauthorized actors. The flaw is located in the _build_redirect_request function of the redirect middleware. |
Affected by 1 other vulnerability. |
|
VCID-rbs9-h2ay-qybj
Aliases: CVE-2024-3572 GHSA-rmqv-7v3j-mr7p |
Duplicate This advisory duplicates another. |
Affected by 1 other vulnerability. |
|
VCID-spj3-t26x-aba3
Aliases: CVE-2024-3574 GHSA-4q82-j5c2-g2c5 |
Duplicate This advisory duplicates another. |
Affected by 1 other vulnerability. |
|
VCID-uwag-f4xk-yqaw
Aliases: CVE-2025-6176 GHSA-2qfp-q593-8484 |
Scrapy is vulnerable to a denial of service (DoS) attack due to flaws in brotli decompression implementation Scrapy versions up to 2.13.3 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression. Mitigation for this vulnerability needs security enhancement added in brotli v1.2.0. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-4q2x-51p4-eygm | information disclosure |
CVE-2021-41125
GHSA-jwqp-28gf-p498 PYSEC-2021-363 |
| VCID-jrh5-kjau-xkar | Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1. |
CVE-2022-0577
GHSA-cjvr-mfj7-j4j8 PYSEC-2022-159 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T09:41:28.562261+00:00 | Debian Oval Importer | Fixing | VCID-jrh5-kjau-xkar | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 38.6.0 |
| 2026-06-06T06:01:14.807335+00:00 | Debian Oval Importer | Fixing | VCID-4q2x-51p4-eygm | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 38.6.0 |
| 2026-06-05T20:41:14.560229+00:00 | Debian Importer | Affected by | VCID-spj3-t26x-aba3 | https://security-tracker.debian.org/tracker/data/json | 38.6.0 |
| 2026-06-05T20:39:27.093831+00:00 | Debian Importer | Affected by | VCID-atnw-pnvj-zkhp | https://security-tracker.debian.org/tracker/data/json | 38.6.0 |
| 2026-06-05T20:08:51.957502+00:00 | Debian Importer | Affected by | VCID-rbs9-h2ay-qybj | https://security-tracker.debian.org/tracker/data/json | 38.6.0 |
| 2026-06-05T19:46:12.416491+00:00 | Debian Importer | Affected by | VCID-uwag-f4xk-yqaw | https://security-tracker.debian.org/tracker/data/json | 38.6.0 |
| 2026-06-05T19:22:47.822234+00:00 | Debian Importer | Affected by | VCID-n6z2-awrh-7kbg | https://security-tracker.debian.org/tracker/data/json | 38.6.0 |