Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/19042?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/19042?format=api", "purl": "pkg:pypi/scrapy@1.1.0rc2", "type": "pypi", "namespace": "", "name": "scrapy", "version": "1.1.0rc2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.14.2", "latest_non_vulnerable_version": "2.14.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/15210?format=api", "vulnerability_id": "VCID-385b-344t-23es", "summary": "Scrapy decompression bomb vulnerability\n### Impact\n\nScrapy limits allowed response sizes by default through the [`DOWNLOAD_MAXSIZE`](https://docs.scrapy.org/en/latest/topics/settings.html#download-maxsize) and [`DOWNLOAD_WARNSIZE`](https://docs.scrapy.org/en/latest/topics/settings.html#download-warnsize) settings.\n\nHowever, those limits were only being enforced during the download of the raw, usually-compressed response bodies, and not during decompression, making Scrapy vulnerable to [decompression bombs](https://cwe.mitre.org/data/definitions/409.html).\n\nA malicious website being scraped could send a small response that, on decompression, could exhaust the memory available to the Scrapy process, potentially affecting any other process sharing that memory, and affecting disk usage in case of uncompressed response caching.\n\n### Patches\n\nUpgrade to Scrapy 2.11.1.\n\nIf you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead.\n\n### Workarounds\n\nThere is no easy workaround.\n\nDisabling HTTP decompression altogether is impractical, as HTTP compression is a rather common practice.\n\nHowever, it is technically possible to manually backport the 2.11.1 or 1.8.4 fix, replacing the corresponding components of an unpatched version of Scrapy with patched versions copied into your own code.\n\n### Acknowledgements\n\nThis security issue was reported by @dmandefy [through huntr.com](https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb/).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-3572", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00157", "scoring_system": "epss", "scoring_elements": "0.36643", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00157", "scoring_system": "epss", "scoring_elements": "0.36157", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00157", "scoring_system": "epss", "scoring_elements": "0.36243", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00157", "scoring_system": "epss", "scoring_elements": "0.36274", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00157", "scoring_system": "epss", "scoring_elements": "0.36503", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00157", "scoring_system": "epss", "scoring_elements": "0.36559", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00157", "scoring_system": "epss", "scoring_elements": "0.36576", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00157", "scoring_system": "epss", "scoring_elements": "0.36532", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00157", "scoring_system": "epss", "scoring_elements": "0.36556", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00157", "scoring_system": "epss", "scoring_elements": "0.3659", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00157", "scoring_system": "epss", "scoring_elements": "0.36584", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00157", "scoring_system": "epss", "scoring_elements": "0.36565", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00157", "scoring_system": "epss", "scoring_elements": "0.36513", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00157", "scoring_system": "epss", "scoring_elements": "0.36675", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00161", "scoring_system": "epss", "scoring_elements": "0.36572", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00161", "scoring_system": "epss", "scoring_elements": "0.36459", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00161", "scoring_system": "epss", "scoring_elements": "0.3653", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00161", "scoring_system": "epss", "scoring_elements": "0.36558", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00161", "scoring_system": "epss", "scoring_elements": "0.36474", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00161", "scoring_system": "epss", "scoring_elements": "0.36497", "published_at": "2026-05-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-3572" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3572", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3572" }, { "reference_url": "https://docs.scrapy.org/en/latest/news.html#scrapy-2-11-1-2024-02-14", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://docs.scrapy.org/en/latest/news.html#scrapy-2-11-1-2024-02-14" }, { "reference_url": "https://github.com/scrapy/scrapy", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy" }, { "reference_url": "https://github.com/scrapy/scrapy/commit/71b8741e3607cfda2833c7624d4ada87071aa8e5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/commit/71b8741e3607cfda2833c7624d4ada87071aa8e5" }, { "reference_url": "https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-18T15:21:44Z/" } ], "url": "https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f" }, { "reference_url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-7j7m-v7m3-jqm7", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-7j7m-v7m3-jqm7" }, { "reference_url": "https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-18T15:21:44Z/" } ], "url": "https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3572", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3572" }, { "reference_url": "https://github.com/advisories/GHSA-7j7m-v7m3-jqm7", "reference_id": "GHSA-7j7m-v7m3-jqm7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7j7m-v7m3-jqm7" }, { "reference_url": "https://usn.ubuntu.com/7476-1/", "reference_id": "USN-7476-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7476-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/45161?format=api", "purl": "pkg:pypi/scrapy@1.8.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" }, { "vulnerability": "VCID-64nx-aruy-q7gy" }, { "vulnerability": "VCID-dc1m-rt7j-w3af" }, { "vulnerability": "VCID-nekz-z7zw-mfgz" }, { "vulnerability": "VCID-t5cn-a543-nyag" }, { "vulnerability": "VCID-urb1-hv1z-duga" }, { "vulnerability": "VCID-veaw-n6vt-zfgu" }, { "vulnerability": "VCID-x9ee-za9y-3fcb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@1.8.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/45174?format=api", "purl": "pkg:pypi/scrapy@2.11.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" }, { "vulnerability": "VCID-dc1m-rt7j-w3af" }, { "vulnerability": "VCID-nekz-z7zw-mfgz" }, { "vulnerability": "VCID-t5cn-a543-nyag" }, { "vulnerability": "VCID-urb1-hv1z-duga" }, { "vulnerability": "VCID-veaw-n6vt-zfgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.11.1" } ], "aliases": [ "CVE-2024-3572", "GHSA-7j7m-v7m3-jqm7", "GMS-2024-327" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-385b-344t-23es" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/6618?format=api", "vulnerability_id": "VCID-4vw6-u8m8-dbe2", "summary": "Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`.", "references": [ { "reference_url": "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41125", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.48491", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.48422", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.48458", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.4848", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.48432", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.48487", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.48481", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.48505", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.48478", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.4849", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.48541", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.48536", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.48494", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.48437", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.48354", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.48416", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.48441", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.48385", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00251", "scoring_system": "epss", "scoring_elements": "0.48415", "published_at": "2026-05-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41125" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41125", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41125" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/scrapy/PYSEC-2021-363.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/scrapy/PYSEC-2021-363.yaml" }, { "reference_url": "https://github.com/scrapy/scrapy", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy" }, { "reference_url": "https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6" }, { "reference_url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html" }, { "reference_url": "https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header" }, { "reference_url": "https://security.archlinux.org/AVG-2447", "reference_id": "AVG-2447", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2447" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41125", "reference_id": "CVE-2021-41125", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41125" }, { "reference_url": "https://github.com/advisories/GHSA-jwqp-28gf-p498", "reference_id": "GHSA-jwqp-28gf-p498", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jwqp-28gf-p498" }, { "reference_url": "https://usn.ubuntu.com/7476-1/", "reference_id": "USN-7476-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7476-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19078?format=api", "purl": "pkg:pypi/scrapy@1.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" }, { "vulnerability": "VCID-385b-344t-23es" }, { "vulnerability": "VCID-64nx-aruy-q7gy" }, { "vulnerability": "VCID-dc1m-rt7j-w3af" }, { "vulnerability": "VCID-jvzg-u5ks-tkhd" }, { "vulnerability": "VCID-kgf5-wu3r-pqc6" }, { "vulnerability": "VCID-m9gg-8qum-9bh2" }, { "vulnerability": "VCID-nekz-z7zw-mfgz" }, { "vulnerability": "VCID-t5cn-a543-nyag" }, { "vulnerability": "VCID-ugxf-pfaw-rqbm" }, { "vulnerability": "VCID-urb1-hv1z-duga" }, { "vulnerability": "VCID-veaw-n6vt-zfgu" }, { "vulnerability": "VCID-x9ee-za9y-3fcb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@1.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/19079?format=api", "purl": "pkg:pypi/scrapy@2.5.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" }, { "vulnerability": "VCID-385b-344t-23es" }, { "vulnerability": "VCID-64nx-aruy-q7gy" }, { "vulnerability": "VCID-dc1m-rt7j-w3af" }, { "vulnerability": "VCID-jvzg-u5ks-tkhd" }, { "vulnerability": "VCID-kgf5-wu3r-pqc6" }, { "vulnerability": "VCID-m9gg-8qum-9bh2" }, { "vulnerability": "VCID-nekz-z7zw-mfgz" }, { "vulnerability": "VCID-t5cn-a543-nyag" }, { "vulnerability": "VCID-ugxf-pfaw-rqbm" }, { "vulnerability": "VCID-urb1-hv1z-duga" }, { "vulnerability": "VCID-veaw-n6vt-zfgu" }, { "vulnerability": "VCID-x9ee-za9y-3fcb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.5.1" } ], "aliases": [ "CVE-2021-41125", "GHSA-jwqp-28gf-p498", "PYSEC-2021-363" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4vw6-u8m8-dbe2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/12569?format=api", "vulnerability_id": "VCID-64nx-aruy-q7gy", "summary": "A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1892", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18106", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.17953", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.1786", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18005", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.1804", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18063", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.1836", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18415", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18118", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18203", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18257", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18259", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18213", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18161", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.1815", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.1814", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18052", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18018", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18056", "published_at": "2026-05-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1892" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1892", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1892" }, { "reference_url": "https://docs.scrapy.org/en/latest/news.html#scrapy-1-8-4-2024-02-14", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://docs.scrapy.org/en/latest/news.html#scrapy-1-8-4-2024-02-14" }, { "reference_url": "https://docs.scrapy.org/en/latest/news.html#scrapy-2-11-1-2024-02-14", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://docs.scrapy.org/en/latest/news.html#scrapy-2-11-1-2024-02-14" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/scrapy/PYSEC-2024-162.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/scrapy/PYSEC-2024-162.yaml" }, { "reference_url": "https://github.com/scrapy/scrapy", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy" }, { "reference_url": "https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T16:44:39Z/" } ], "url": "https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5" }, { "reference_url": "https://github.com/scrapy/scrapy/commit/73e7c0ed011a0565a1584b8052ec757b54e5270b", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/commit/73e7c0ed011a0565a1584b8052ec757b54e5270b" }, { "reference_url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-cc65-xxvf-f7r9", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-cc65-xxvf-f7r9" }, { "reference_url": "https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T16:44:39Z/" } ], "url": "https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065111", "reference_id": "1065111", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065111" }, { "reference_url": "https://github.com/advisories/GHSA-cc65-xxvf-f7r9", "reference_id": "GHSA-cc65-xxvf-f7r9", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cc65-xxvf-f7r9" }, { "reference_url": "https://usn.ubuntu.com/7476-1/", "reference_id": "USN-7476-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7476-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/45161?format=api", "purl": "pkg:pypi/scrapy@1.8.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" }, { "vulnerability": "VCID-64nx-aruy-q7gy" }, { "vulnerability": "VCID-dc1m-rt7j-w3af" }, { "vulnerability": "VCID-nekz-z7zw-mfgz" }, { "vulnerability": "VCID-t5cn-a543-nyag" }, { "vulnerability": "VCID-urb1-hv1z-duga" }, { "vulnerability": "VCID-veaw-n6vt-zfgu" }, { "vulnerability": "VCID-x9ee-za9y-3fcb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@1.8.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/45174?format=api", "purl": "pkg:pypi/scrapy@2.11.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" }, { "vulnerability": "VCID-dc1m-rt7j-w3af" }, { "vulnerability": "VCID-nekz-z7zw-mfgz" }, { "vulnerability": "VCID-t5cn-a543-nyag" }, { "vulnerability": "VCID-urb1-hv1z-duga" }, { "vulnerability": "VCID-veaw-n6vt-zfgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.11.1" } ], "aliases": [ "CVE-2024-1892", "GHSA-cc65-xxvf-f7r9", "GMS-2024-287", "PYSEC-2024-162" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-64nx-aruy-q7gy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22199?format=api", "vulnerability_id": "VCID-dc1m-rt7j-w3af", "summary": "Scrapy is vulnerable to a denial of service (DoS) attack due to flaws in brotli decompression implementation\nScrapy versions up to 2.13.3 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression. Mitigation for this vulnerability needs security enhancement added in brotli v1.2.0.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6176.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6176.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6176", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08092", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08068", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08008", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08047", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09799", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09719", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09762", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09632", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09605", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09633", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09747", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09763", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09795", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09943", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09878", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.0984", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09866", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11087", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6176" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6176", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6176" }, { "reference_url": "https://github.com/google/brotli", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/google/brotli" }, { "reference_url": "https://github.com/google/brotli/commit/67d78bc41db1a0d03f2e763497748f2f69946627", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/google/brotli/commit/67d78bc41db1a0d03f2e763497748f2f69946627" }, { "reference_url": "https://github.com/google/brotli/issues/1327", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/google/brotli/issues/1327" }, { "reference_url": "https://github.com/google/brotli/issues/1375", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/google/brotli/issues/1375" }, { "reference_url": "https://github.com/google/brotli/pull/1234", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/google/brotli/pull/1234" }, { "reference_url": "https://github.com/google/brotli/releases/tag/v1.2.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/google/brotli/releases/tag/v1.2.0" }, { "reference_url": "https://github.com/scrapy/scrapy/commit/14737e91edc513967f516fc839cc9c8a4f8d91da", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/commit/14737e91edc513967f516fc839cc9c8a4f8d91da" }, { "reference_url": "https://github.com/scrapy/scrapy/pull/7134", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/pull/7134" }, { "reference_url": "https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-31T16:15:58Z/" } ], "url": "https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2408762", "reference_id": "2408762", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2408762" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6176", "reference_id": "CVE-2025-6176", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6176" }, { "reference_url": "https://github.com/advisories/GHSA-2qfp-q593-8484", "reference_id": "GHSA-2qfp-q593-8484", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2qfp-q593-8484" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:0008", "reference_id": "RHSA-2026:0008", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:0008" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:0845", "reference_id": "RHSA-2026:0845", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:0845" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2042", "reference_id": "RHSA-2026:2042", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2042" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2226", "reference_id": "RHSA-2026:2226", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2226" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2227", "reference_id": "RHSA-2026:2227", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2227" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2228", "reference_id": "RHSA-2026:2228", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2228" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2229", "reference_id": "RHSA-2026:2229", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2229" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2389", "reference_id": "RHSA-2026:2389", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2389" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2399", "reference_id": "RHSA-2026:2399", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2399" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2400", "reference_id": "RHSA-2026:2400", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2400" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2401", "reference_id": "RHSA-2026:2401", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2401" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2455", "reference_id": "RHSA-2026:2455", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2455" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2737", "reference_id": "RHSA-2026:2737", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2737" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2800", "reference_id": "RHSA-2026:2800", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2800" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2844", "reference_id": "RHSA-2026:2844", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2844" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2974", "reference_id": "RHSA-2026:2974", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2974" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2976", "reference_id": "RHSA-2026:2976", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2976" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3392", "reference_id": "RHSA-2026:3392", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3392" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3406", "reference_id": "RHSA-2026:3406", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3406" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3415", "reference_id": "RHSA-2026:3415", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3415" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3417", "reference_id": "RHSA-2026:3417", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3417" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3861", "reference_id": "RHSA-2026:3861", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3861" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4419", "reference_id": "RHSA-2026:4419", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4419" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4465", "reference_id": "RHSA-2026:4465", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4465" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64781?format=api", "purl": "pkg:pypi/scrapy@2.13.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.13.4" } ], "aliases": [ "CVE-2025-6176", "GHSA-2qfp-q593-8484" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dc1m-rt7j-w3af" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/13101?format=api", "vulnerability_id": "VCID-jvzg-u5ks-tkhd", "summary": "Cookie-setting is not restricted based on the public suffix list\nResponses from domain names whose public domain name suffix contains 1 or more periods (e.g. responses from `example.co.uk`, given its public domain name suffix is `co.uk`) are able to set cookies that are included in requests to any other domain sharing the same domain name suffix.", "references": [ { "reference_url": "https://github.com/scrapy/scrapy", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy" }, { "reference_url": "https://github.com/scrapy/scrapy/commit/e865c4430e58a4faa0e0766b23830f8423d6167a", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/commit/e865c4430e58a4faa0e0766b23830f8423d6167a" }, { "reference_url": "https://github.com/advisories/GHSA-mfjm-vh54-3f96", "reference_id": "GHSA-mfjm-vh54-3f96", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mfjm-vh54-3f96" }, { "reference_url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-mfjm-vh54-3f96", "reference_id": "GHSA-mfjm-vh54-3f96", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-mfjm-vh54-3f96" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/25479?format=api", "purl": "pkg:pypi/scrapy@1.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" }, { "vulnerability": "VCID-385b-344t-23es" }, { "vulnerability": "VCID-64nx-aruy-q7gy" }, { "vulnerability": "VCID-dc1m-rt7j-w3af" }, { "vulnerability": "VCID-kgf5-wu3r-pqc6" }, { "vulnerability": "VCID-m9gg-8qum-9bh2" }, { "vulnerability": "VCID-nekz-z7zw-mfgz" }, { "vulnerability": "VCID-t5cn-a543-nyag" }, { "vulnerability": "VCID-ugxf-pfaw-rqbm" }, { "vulnerability": "VCID-urb1-hv1z-duga" }, { "vulnerability": "VCID-veaw-n6vt-zfgu" }, { "vulnerability": "VCID-x9ee-za9y-3fcb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@1.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/25480?format=api", "purl": "pkg:pypi/scrapy@2.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" }, { "vulnerability": "VCID-385b-344t-23es" }, { "vulnerability": "VCID-64nx-aruy-q7gy" }, { "vulnerability": "VCID-dc1m-rt7j-w3af" }, { "vulnerability": "VCID-kgf5-wu3r-pqc6" }, { "vulnerability": "VCID-m9gg-8qum-9bh2" }, { "vulnerability": "VCID-nekz-z7zw-mfgz" }, { "vulnerability": "VCID-t5cn-a543-nyag" }, { "vulnerability": "VCID-ugxf-pfaw-rqbm" }, { "vulnerability": "VCID-urb1-hv1z-duga" }, { "vulnerability": "VCID-veaw-n6vt-zfgu" }, { "vulnerability": "VCID-x9ee-za9y-3fcb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.6.0" } ], "aliases": [ "GHSA-mfjm-vh54-3f96", "GMS-2022-230" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jvzg-u5ks-tkhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/15539?format=api", "vulnerability_id": "VCID-kgf5-wu3r-pqc6", "summary": "Scrapy authorization header leakage on cross-domain redirect\n### Impact\n\nWhen you send a request with the `Authorization` header to one domain, and the response asks to redirect to a different domain, Scrapy’s built-in redirect middleware creates a follow-up redirect request that keeps the original `Authorization` header, leaking its content to that second domain.\n\nThe [right behavior](https://fetch.spec.whatwg.org/#ref-for-cors-non-wildcard-request-header-name) would be to drop the `Authorization` header instead, in this scenario.\n\n### Patches\n\nUpgrade to Scrapy 2.11.1.\n\nIf you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead.\n\n### Workarounds\n\nIf you cannot upgrade, make sure that you are not using the `Authentication` header, either directly or through some third-party plugin.\n\nIf you need to use that header in some requests, add `\"dont_redirect\": True` to the `request.meta` dictionary of those requests to disable following redirects for them.\n\nIf you need to keep (same domain) redirect support on those requests, make sure you trust the target website not to redirect your requests to a different domain.\n\n### Acknowledgements\n\nThis security issue was reported by @ranjit-git [through huntr.com](https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9/).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-3574", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.30728", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.31172", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.31225", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.31255", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.31259", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.31216", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.31206", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.31187", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.31157", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.30996", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.30875", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.3079", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.30641", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.3071", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.3072", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.3064", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.30662", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.31311", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.31352", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-3574" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3574", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3574" }, { "reference_url": "https://github.com/scrapy/scrapy", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy" }, { "reference_url": "https://github.com/scrapy/scrapy/commit/ee7bd9d217fc126063575d5649f00bdeeca2faae", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/commit/ee7bd9d217fc126063575d5649f00bdeeca2faae" }, { "reference_url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-cw9j-q3vf-hrrv", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-cw9j-q3vf-hrrv" }, { "reference_url": "https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-18T15:23:27Z/" } ], "url": "https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3574", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3574" }, { "reference_url": "https://usn.ubuntu.com/7476-1/", "reference_id": "USN-7476-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7476-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/45161?format=api", "purl": "pkg:pypi/scrapy@1.8.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" }, { "vulnerability": "VCID-64nx-aruy-q7gy" }, { "vulnerability": "VCID-dc1m-rt7j-w3af" }, { "vulnerability": "VCID-nekz-z7zw-mfgz" }, { "vulnerability": "VCID-t5cn-a543-nyag" }, { "vulnerability": "VCID-urb1-hv1z-duga" }, { "vulnerability": "VCID-veaw-n6vt-zfgu" }, { "vulnerability": "VCID-x9ee-za9y-3fcb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@1.8.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/45174?format=api", "purl": "pkg:pypi/scrapy@2.11.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" }, { "vulnerability": "VCID-dc1m-rt7j-w3af" }, { "vulnerability": "VCID-nekz-z7zw-mfgz" }, { "vulnerability": "VCID-t5cn-a543-nyag" }, { "vulnerability": "VCID-urb1-hv1z-duga" }, { "vulnerability": "VCID-veaw-n6vt-zfgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.11.1" } ], "aliases": [ "CVE-2024-3574", "GHSA-cw9j-q3vf-hrrv", "GMS-2024-288" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kgf5-wu3r-pqc6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/5619?format=api", "vulnerability_id": "VCID-m9gg-8qum-9bh2", "summary": "Scrapy 1.4 allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.", "references": [ { "reference_url": "http://blog.csdn.net/wangtua/article/details/75228728", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://blog.csdn.net/wangtua/article/details/75228728" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-14158", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66372", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66216", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66185", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66221", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66235", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66244", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66256", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66236", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.6628", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66322", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66294", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66314", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66111", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66153", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66179", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66149", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66197", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.6621", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66229", "published_at": "2026-04-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-14158" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14158", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14158" }, { "reference_url": "https://github.com/advisories/GHSA-h7wm-ph43-c39p", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h7wm-ph43-c39p" }, { "reference_url": "https://github.com/pypa/advisory-database/blob/8b7a4d62a95e8f605e5dfb4e0b4f299e6403dc12/vulns/scrapy/PYSEC-2017-83.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/blob/8b7a4d62a95e8f605e5dfb4e0b4f299e6403dc12/vulns/scrapy/PYSEC-2017-83.yaml" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/scrapy/PYSEC-2017-83.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/scrapy/PYSEC-2017-83.yaml" }, { "reference_url": "https://github.com/scrapy/scrapy", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy" }, { "reference_url": "https://github.com/scrapy/scrapy/issues/482", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/issues/482" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875947", "reference_id": "875947", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875947" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14158", "reference_id": "CVE-2017-14158", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14158" } ], "fixed_packages": [], "aliases": [ "CVE-2017-14158", "GHSA-h7wm-ph43-c39p", "PYSEC-2017-83" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m9gg-8qum-9bh2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/19577?format=api", "vulnerability_id": "VCID-nekz-z7zw-mfgz", "summary": "Scrapy allows redirect following in protocols other than HTTP\n### Impact\n\nScrapy was following redirects regardless of the URL protocol, so redirects were working for `data://`, `file://`, `ftp://`, `s3://`, and any other scheme defined in the `DOWNLOAD_HANDLERS` setting.\n\nHowever, HTTP redirects should only work between URLs that use the `http://` or `https://` schemes.\n\nA malicious actor, given write access to the start requests (e.g. ability to define `start_urls`) of a spider and read access to the spider output, could exploit this vulnerability to:\n- Redirect to any local file using the `file://` scheme to read its contents.\n- Redirect to an `ftp://` URL of a malicious FTP server to obtain the FTP username and password configured in the spider or project.\n- Redirect to any `s3://` URL to read its content using the S3 credentials configured in the spider or project.\n\nFor `file://` and `s3://`, how the spider implements its parsing of input data into an output item determines what data would be vulnerable. A spider that always outputs the entire contents of a response would be completely vulnerable, while a spider that extracted only fragments from the response could significantly limit vulnerable data.\n\n### Patches\n\nUpgrade to Scrapy 2.11.2.\n\n### Workarounds\n\nReplace the built-in retry middlewares (`RedirectMiddleware` and `MetaRefreshMiddleware`) with custom ones that implement the fix from Scrapy 2.11.2, and verify that they work as intended.\n\n### References\n\nThis security issue was reported by @mvsantos at https://github.com/scrapy/scrapy/issues/457.", "references": [ { "reference_url": "https://github.com/scrapy/scrapy", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy" }, { "reference_url": "https://github.com/scrapy/scrapy/commit/36287cb665ab4b0c65fd53181c9a0ef04990ada6", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/commit/36287cb665ab4b0c65fd53181c9a0ef04990ada6" }, { "reference_url": "https://github.com/scrapy/scrapy/issues/457", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/issues/457" }, { "reference_url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-23j4-mw76-5v7h", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-23j4-mw76-5v7h" }, { "reference_url": "https://github.com/advisories/GHSA-23j4-mw76-5v7h", "reference_id": "GHSA-23j4-mw76-5v7h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-23j4-mw76-5v7h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46023?format=api", "purl": "pkg:pypi/scrapy@2.11.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" }, { "vulnerability": "VCID-dc1m-rt7j-w3af" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.11.2" } ], "aliases": [ "GHSA-23j4-mw76-5v7h" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nekz-z7zw-mfgz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/19159?format=api", "vulnerability_id": "VCID-t5cn-a543-nyag", "summary": "Duplicate Advisory: Scrapy leaks the authorization header on same-domain but cross-origin redirects\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-4qqq-9vqf-3h3f. This link is maintained to preserve external references.\n\n## Original Description\nIn scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme (e.g., HTTPS to HTTP) but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in cross-origin requests when the scheme, host, or port changes. Consequently, when a redirect downgrades from HTTPS to HTTP, the Authorization header may be inadvertently exposed in plaintext, leading to potential sensitive information disclosure to unauthorized actors. The flaw is located in the _build_redirect_request function of the redirect middleware.", "references": [ { "reference_url": "https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8" }, { "reference_url": "https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1968", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1968" }, { "reference_url": "https://github.com/advisories/GHSA-cg34-w3fm-82h3", "reference_id": "GHSA-cg34-w3fm-82h3", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cg34-w3fm-82h3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46023?format=api", "purl": "pkg:pypi/scrapy@2.11.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" }, { "vulnerability": "VCID-dc1m-rt7j-w3af" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.11.2" } ], "aliases": [ "GHSA-cg34-w3fm-82h3" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t5cn-a543-nyag" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53962?format=api", "vulnerability_id": "VCID-ugxf-pfaw-rqbm", "summary": "Scrapy before 2.6.2 and 1.8.3 vulnerable to one proxy sending credentials to another\n### Impact\n\nWhen the [built-in HTTP proxy downloader middleware](https://docs.scrapy.org/en/2.6/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpproxy) processes a request with `proxy` metadata, and that `proxy` metadata includes proxy credentials, the built-in HTTP proxy downloader middleware sets the `Proxy-Authentication` header, but only if that header is not already set.\n\nThere are third-party proxy-rotation downloader middlewares that set different `proxy` metadata every time they process a request.\n\nBecause of request retries and redirects, the same request can be processed by downloader middlewares more than once, including both the built-in HTTP proxy downloader middleware and any third-party proxy-rotation downloader middleware.\n\nThese third-party proxy-rotation downloader middlewares could change the `proxy` metadata of a request to a new value, but fail to remove the `Proxy-Authentication` header from the previous value of the `proxy` metadata, causing the credentials of one proxy to be leaked to a different proxy.\n\nIf you rotate proxies from different proxy providers, and any of those proxies requires credentials, you are affected, unless you are handling proxy rotation as described under **Workarounds** below. If you use a third-party downloader middleware for proxy rotation, the same applies to that downloader middleware, and installing a patched version of Scrapy may not be enough; patching that downloader middlware may be necessary as well.\n\n### Patches\n\nUpgrade to Scrapy 2.6.2.\n\nIf you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.6.2 is not an option, you may upgrade to Scrapy 1.8.3 instead.\n\n### Workarounds\n\nIf you cannot upgrade, make sure that any code that changes the value of the `proxy` request meta also removes the `Proxy-Authorization` header from the request if present.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* [Open an issue](https://github.com/scrapy/scrapy/issues)\n* [Email us](mailto:opensource@zyte.com)", "references": [ { "reference_url": "https://github.com/scrapy/scrapy", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy" }, { "reference_url": "https://github.com/scrapy/scrapy/commit/af7dd16d8ded3e6cb2946603688f4f4a5212e80f", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/commit/af7dd16d8ded3e6cb2946603688f4f4a5212e80f" }, { "reference_url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-9x8m-2xpf-crp3", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-9x8m-2xpf-crp3" }, { "reference_url": "https://github.com/advisories/GHSA-9x8m-2xpf-crp3", "reference_id": "GHSA-9x8m-2xpf-crp3", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9x8m-2xpf-crp3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/45160?format=api", "purl": "pkg:pypi/scrapy@1.8.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" }, { "vulnerability": "VCID-385b-344t-23es" }, { "vulnerability": "VCID-64nx-aruy-q7gy" }, { "vulnerability": "VCID-dc1m-rt7j-w3af" }, { "vulnerability": "VCID-kgf5-wu3r-pqc6" }, { "vulnerability": "VCID-nekz-z7zw-mfgz" }, { "vulnerability": "VCID-t5cn-a543-nyag" }, { "vulnerability": "VCID-urb1-hv1z-duga" }, { "vulnerability": "VCID-veaw-n6vt-zfgu" }, { "vulnerability": "VCID-x9ee-za9y-3fcb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@1.8.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/45163?format=api", "purl": "pkg:pypi/scrapy@2.6.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" }, { "vulnerability": "VCID-385b-344t-23es" }, { "vulnerability": "VCID-64nx-aruy-q7gy" }, { "vulnerability": "VCID-dc1m-rt7j-w3af" }, { "vulnerability": "VCID-kgf5-wu3r-pqc6" }, { "vulnerability": "VCID-nekz-z7zw-mfgz" }, { "vulnerability": "VCID-t5cn-a543-nyag" }, { "vulnerability": "VCID-urb1-hv1z-duga" }, { "vulnerability": "VCID-veaw-n6vt-zfgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.6.2" } ], "aliases": [ "GHSA-9x8m-2xpf-crp3", "GMS-2022-3357" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ugxf-pfaw-rqbm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/12829?format=api", "vulnerability_id": "VCID-urb1-hv1z-duga", "summary": "In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme (e.g., HTTPS to HTTP) but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in cross-origin requests when the scheme, host, or port changes. Consequently, when a redirect downgrades from HTTPS to HTTP, the Authorization header may be inadvertently exposed in plaintext, leading to potential sensitive information disclosure to unauthorized actors. The flaw is located in the _build_redirect_request function of the redirect middleware.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1968", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0019", "scoring_system": "epss", "scoring_elements": "0.40572", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.0019", "scoring_system": "epss", "scoring_elements": "0.40923", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0019", "scoring_system": "epss", "scoring_elements": "0.40941", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0019", "scoring_system": "epss", "scoring_elements": "0.40905", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0019", "scoring_system": "epss", "scoring_elements": "0.40886", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0019", "scoring_system": "epss", "scoring_elements": "0.40928", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0019", "scoring_system": "epss", "scoring_elements": "0.40898", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0019", "scoring_system": "epss", "scoring_elements": "0.40818", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0019", "scoring_system": "epss", "scoring_elements": "0.40726", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.0019", "scoring_system": "epss", "scoring_elements": "0.40713", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.0019", "scoring_system": "epss", "scoring_elements": "0.4063", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.0019", "scoring_system": "epss", "scoring_elements": "0.4048", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.0019", "scoring_system": "epss", "scoring_elements": "0.40548", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.0019", "scoring_system": "epss", "scoring_elements": "0.40567", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.0019", "scoring_system": "epss", "scoring_elements": "0.40472", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.0019", "scoring_system": "epss", "scoring_elements": "0.40497", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.0019", "scoring_system": "epss", "scoring_elements": "0.40912", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.0019", "scoring_system": "epss", "scoring_elements": "0.40939", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0019", "scoring_system": "epss", "scoring_elements": "0.40868", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0019", "scoring_system": "epss", "scoring_elements": "0.40917", "published_at": "2026-04-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1968" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1968", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1968" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/scrapy/scrapy", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy" }, { "reference_url": "https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-18T20:26:27Z/" } ], "url": "https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8" }, { "reference_url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-4qqq-9vqf-3h3f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-4qqq-9vqf-3h3f" }, { "reference_url": "https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-18T20:26:27Z/" } ], "url": "https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a" }, { "reference_url": "https://github.com/advisories/GHSA-4qqq-9vqf-3h3f", "reference_id": "GHSA-4qqq-9vqf-3h3f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4qqq-9vqf-3h3f" }, { "reference_url": "https://usn.ubuntu.com/7476-1/", "reference_id": "USN-7476-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7476-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19069?format=api", "purl": "pkg:pypi/scrapy@2.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" }, { "vulnerability": "VCID-385b-344t-23es" }, { "vulnerability": "VCID-4vw6-u8m8-dbe2" }, { "vulnerability": "VCID-64nx-aruy-q7gy" }, { "vulnerability": "VCID-dc1m-rt7j-w3af" }, { "vulnerability": "VCID-jvzg-u5ks-tkhd" }, { "vulnerability": "VCID-kgf5-wu3r-pqc6" }, { "vulnerability": "VCID-m9gg-8qum-9bh2" }, { "vulnerability": "VCID-nekz-z7zw-mfgz" }, { "vulnerability": "VCID-t5cn-a543-nyag" }, { "vulnerability": "VCID-ugxf-pfaw-rqbm" }, { "vulnerability": "VCID-urb1-hv1z-duga" }, { "vulnerability": "VCID-veaw-n6vt-zfgu" }, { "vulnerability": "VCID-x9ee-za9y-3fcb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/46023?format=api", "purl": "pkg:pypi/scrapy@2.11.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" }, { "vulnerability": "VCID-dc1m-rt7j-w3af" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.11.2" } ], "aliases": [ "CVE-2024-1968", "GHSA-4qqq-9vqf-3h3f", "PYSEC-2024-258" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-urb1-hv1z-duga" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/19864?format=api", "vulnerability_id": "VCID-veaw-n6vt-zfgu", "summary": "Scrapy's redirects ignoring scheme-specific proxy settings\n### Impact\n\nWhen using system proxy settings, which are scheme-specific (i.e. specific to `http://` or `https://` URLs), Scrapy was not accounting for scheme changes during redirects.\n\nFor example, an HTTP request would use the proxy configured for HTTP and, when redirected to an HTTPS URL, the new HTTPS request would still use the proxy configured for HTTP instead of switching to the proxy configured for HTTPS. Same the other way around.\n\nIf you have different proxy configurations for HTTP and HTTPS in your system for security reasons (e.g., maybe you don’t want one of your proxy providers to be aware of the URLs that you visit with the other one), this would be a security issue.\n\n### Patches\n\nUpgrade to Scrapy 2.11.2.\n\n### Workarounds\n\nReplace the built-in retry middlewares (`RedirectMiddleware` and `MetaRefreshMiddleware`) and the `HttpProxyMiddleware` middleware with custom ones that implement the fix from Scrapy 2.11.2, and verify that they work as intended.\n\n### References\n\nThis security issue was reported by @redapple at https://github.com/scrapy/scrapy/issues/767.", "references": [ { "reference_url": "https://github.com/scrapy/scrapy", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy" }, { "reference_url": "https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8" }, { "reference_url": "https://github.com/scrapy/scrapy/issues/767", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/issues/767" }, { "reference_url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jm3v-qxmh-hxwv", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-jm3v-qxmh-hxwv" }, { "reference_url": "https://github.com/advisories/GHSA-jm3v-qxmh-hxwv", "reference_id": "GHSA-jm3v-qxmh-hxwv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jm3v-qxmh-hxwv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46023?format=api", "purl": "pkg:pypi/scrapy@2.11.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" }, { "vulnerability": "VCID-dc1m-rt7j-w3af" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.11.2" } ], "aliases": [ "GHSA-jm3v-qxmh-hxwv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-veaw-n6vt-zfgu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/8496?format=api", "vulnerability_id": "VCID-x9ee-za9y-3fcb", "summary": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0577", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43196", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43375", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.4339", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.4341", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43378", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43363", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43422", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43411", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43345", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43278", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.4328", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43202", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43069", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43147", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43163", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43102", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43133", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43301", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43358", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43385", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43323", "published_at": "2026-04-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0577" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0577", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0577" }, { "reference_url": "https://github.com/advisories/GHSA-cjvr-mfj7-j4j8", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cjvr-mfj7-j4j8" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/scrapy/PYSEC-2022-159.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/scrapy/PYSEC-2022-159.yaml" }, { "reference_url": "https://github.com/scrapy/scrapy", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy" }, { "reference_url": "https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a" }, { "reference_url": "https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008234", "reference_id": "1008234", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008234" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0577", "reference_id": "CVE-2022-0577", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0577" }, { "reference_url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-cjvr-mfj7-j4j8", "reference_id": "GHSA-cjvr-mfj7-j4j8", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-cjvr-mfj7-j4j8" }, { "reference_url": "https://usn.ubuntu.com/7476-1/", "reference_id": "USN-7476-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7476-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/25479?format=api", "purl": "pkg:pypi/scrapy@1.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" }, { "vulnerability": "VCID-385b-344t-23es" }, { "vulnerability": "VCID-64nx-aruy-q7gy" }, { "vulnerability": "VCID-dc1m-rt7j-w3af" }, { "vulnerability": "VCID-kgf5-wu3r-pqc6" }, { "vulnerability": "VCID-m9gg-8qum-9bh2" }, { "vulnerability": "VCID-nekz-z7zw-mfgz" }, { "vulnerability": "VCID-t5cn-a543-nyag" }, { "vulnerability": "VCID-ugxf-pfaw-rqbm" }, { "vulnerability": "VCID-urb1-hv1z-duga" }, { "vulnerability": "VCID-veaw-n6vt-zfgu" }, { "vulnerability": "VCID-x9ee-za9y-3fcb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@1.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/25481?format=api", "purl": "pkg:pypi/scrapy@2.6.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k4b-pr5k-s7e5" }, { "vulnerability": "VCID-385b-344t-23es" }, { "vulnerability": "VCID-64nx-aruy-q7gy" }, { "vulnerability": "VCID-dc1m-rt7j-w3af" }, { "vulnerability": "VCID-kgf5-wu3r-pqc6" }, { "vulnerability": "VCID-m9gg-8qum-9bh2" }, { "vulnerability": "VCID-nekz-z7zw-mfgz" }, { "vulnerability": "VCID-t5cn-a543-nyag" }, { "vulnerability": "VCID-ugxf-pfaw-rqbm" }, { "vulnerability": "VCID-urb1-hv1z-duga" }, { "vulnerability": "VCID-veaw-n6vt-zfgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.6.1" } ], "aliases": [ "CVE-2022-0577", "GHSA-cjvr-mfj7-j4j8", "PYSEC-2022-159" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x9ee-za9y-3fcb" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@1.1.0rc2" }