Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-1k4b-pr5k-s7e5
Vulnerability ID VCID-1k4b-pr5k-s7e5
Aliases GHSA-cwxj-rr6w-m6w7
Summary Scrapy: Arbitrary Module Import via Referrer-Policy Header in RefererMiddleware ### Impact Since version 1.4.0, Scrapy respects the `Referrer-Policy` response header to decide whether and how to set a `Referer` header on follow-up requests. If the header value looked like a valid Python import path, Scrapy would import the referenced object and call it, assuming it referred to a referrer policy class (for example, `scrapy.spidermiddlewares.referer.DefaultReferrerPolicy`) and attempting to instantiate it to handle the `Referer` header. A malicious site could exploit this by setting `Referrer-Policy` to a path such as `sys.exit`, causing Scrapy to import and execute it and potentially terminate the process. ### Patches Upgrade to Scrapy 2.14.2 (or later). ### Workarounds If you cannot upgrade to Scrapy 2.14.2, consider the following mitigations. - **Disable the middleware:** If you don't need the `Referer` header on follow-up requests, set [`REFERER_ENABLED`](https://docs.scrapy.org/en/latest/topics/spider-middleware.html#referer-enabled) to `False`. - **Set headers manually:** If you do need a `Referer`, disable the middleware and set the header explicitly on the requests that require it. - **Set `referrer_policy` in request metadata:** If disabling the middleware is not viable, set the [`referrer_policy`](https://docs.scrapy.org/en/latest/topics/spider-middleware.html#referrer-policy) request meta key on all requests to prevent evaluating preceding responses' `Referrer-Policy`. For example: ```python Request( url, meta={ "referrer_policy": "scrapy.spidermiddlewares.referer.DefaultReferrerPolicy", }, ) ``` Instead of editing requests individually, you can: - implement a custom [spider middleware](https://docs.scrapy.org/en/latest/topics/spider-middleware.html) that runs before the built-in referrer policy middleware and sets the `referrer_policy` meta key; or - set the meta key in start requests and use the [scrapy-sticky-meta-params](https://github.com/heylouiz/scrapy-sticky-meta-params) plugin to propagate it to follow-up requests. If you want to continue respecting legitimate `Referrer-Policy` headers while protecting against malicious ones, disable the built-in referrer policy middleware by setting it to `None` in [`SPIDER_MIDDLEWARES`](https://docs.scrapy.org/en/latest/topics/settings.html#std-setting-SPIDER_MIDDLEWARES) and replace it with the fixed implementation from Scrapy 2.14.2. If the Scrapy 2.14.2 implementation is incompatible with your project (for example, because your Scrapy version is older), copy the corresponding middleware from your Scrapy version, apply the same patch, and use that as a replacement.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-cwxj-rr6w-m6w7
cvssv3.1 7.5 https://github.com/scrapy/scrapy
generic_textual HIGH https://github.com/scrapy/scrapy
cvssv3.1 7.5 https://github.com/scrapy/scrapy/commit/945b787a263586cb5803c01c6da57daad8997ae5
generic_textual HIGH https://github.com/scrapy/scrapy/commit/945b787a263586cb5803c01c6da57daad8997ae5
cvssv3.1 7.5 https://github.com/scrapy/scrapy/security/advisories/GHSA-cwxj-rr6w-m6w7
cvssv3.1_qr HIGH https://github.com/scrapy/scrapy/security/advisories/GHSA-cwxj-rr6w-m6w7
generic_textual HIGH https://github.com/scrapy/scrapy/security/advisories/GHSA-cwxj-rr6w-m6w7
Reference id Reference type URL
https://github.com/scrapy/scrapy
https://github.com/scrapy/scrapy/commit/945b787a263586cb5803c01c6da57daad8997ae5
https://github.com/scrapy/scrapy/security/advisories/GHSA-cwxj-rr6w-m6w7
GHSA-cwxj-rr6w-m6w7 https://github.com/advisories/GHSA-cwxj-rr6w-m6w7
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/scrapy/scrapy
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/scrapy/scrapy/commit/945b787a263586cb5803c01c6da57daad8997ae5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/scrapy/scrapy/security/advisories/GHSA-cwxj-rr6w-m6w7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-04-01T12:53:28.876663+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-cwxj-rr6w-m6w7/GHSA-cwxj-rr6w-m6w7.json 38.0.0