Search for packages
| purl | pkg:pypi/scrapy@2 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-64nx-aruy-q7gy
Aliases: CVE-2024-1892 GHSA-cc65-xxvf-f7r9 GMS-2024-287 PYSEC-2024-162 |
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive. |
Affected by 6 other vulnerabilities. |
|
VCID-8wu8-qh8m-7ubm
Aliases: GHSA-7c9g-vj9m-8pm6 |
Duplicate Advisory: ReDos vulnerability of XMLFeedSpider ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-cc65-xxvf-f7r9. This link is maintained to preserve external references. ## Original Description Parts of the Scrapy API were found to be vulnerable to a ReDoS attack. Handling a malicious response could cause extreme CPU and memory usage during the parsing of its content, due to the use of vulnerable regular expressions for that parsing. |
Affected by 6 other vulnerabilities. |
|
VCID-kgf5-wu3r-pqc6
Aliases: CVE-2024-3574 GHSA-cw9j-q3vf-hrrv GMS-2024-288 |
Scrapy authorization header leakage on cross-domain redirect ### Impact When you send a request with the `Authorization` header to one domain, and the response asks to redirect to a different domain, Scrapy’s built-in redirect middleware creates a follow-up redirect request that keeps the original `Authorization` header, leaking its content to that second domain. The [right behavior](https://fetch.spec.whatwg.org/#ref-for-cors-non-wildcard-request-header-name) would be to drop the `Authorization` header instead, in this scenario. ### Patches Upgrade to Scrapy 2.11.1. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead. ### Workarounds If you cannot upgrade, make sure that you are not using the `Authentication` header, either directly or through some third-party plugin. If you need to use that header in some requests, add `"dont_redirect": True` to the `request.meta` dictionary of those requests to disable following redirects for them. If you need to keep (same domain) redirect support on those requests, make sure you trust the target website not to redirect your requests to a different domain. ### Acknowledgements This security issue was reported by @ranjit-git [through huntr.com](https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9/). |
Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T16:04:43.062993+00:00 | GHSA Importer | Affected by | VCID-8wu8-qh8m-7ubm | https://github.com/advisories/GHSA-7c9g-vj9m-8pm6 | 38.0.0 |
| 2026-04-01T16:04:34.384229+00:00 | GHSA Importer | Affected by | VCID-kgf5-wu3r-pqc6 | https://github.com/advisories/GHSA-cw9j-q3vf-hrrv | 38.0.0 |
| 2026-04-01T16:04:33.736808+00:00 | GHSA Importer | Affected by | VCID-64nx-aruy-q7gy | https://github.com/advisories/GHSA-cc65-xxvf-f7r9 | 38.0.0 |
| 2026-04-01T12:52:31.004051+00:00 | GitLab Importer | Affected by | VCID-64nx-aruy-q7gy | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/scrapy/CVE-2024-1892.yml | 38.0.0 |
| 2026-04-01T12:52:30.805130+00:00 | GitLab Importer | Affected by | VCID-kgf5-wu3r-pqc6 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/scrapy/GMS-2024-288.yml | 38.0.0 |