{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47029?format=json","vulnerability_id":"VCID-eps3-2rkz-r3gf","summary":"Scrapy decompression bomb vulnerability\n### Impact\n\nScrapy limits allowed response sizes by default through the [`DOWNLOAD_MAXSIZE`](https://docs.scrapy.org/en/latest/topics/settings.html#download-maxsize) and [`DOWNLOAD_WARNSIZE`](https://docs.scrapy.org/en/latest/topics/settings.html#download-warnsize) settings.\n\nHowever, those limits were only being enforced during the download of the raw, usually-compressed response bodies, and not during decompression, making Scrapy vulnerable to [decompression bombs](https://cwe.mitre.org/data/definitions/409.html).\n\nA malicious website being scraped could send a small response that, on decompression, could exhaust the memory available to the Scrapy process, potentially affecting any other process sharing that memory, and affecting disk usage in case of uncompressed response caching.\n\n### Patches\n\nUpgrade to Scrapy 2.11.1.\n\nIf you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead.\n\n### Workarounds\n\nThere is no easy workaround.\n\nDisabling HTTP decompression altogether is impractical, as HTTP compression is a rather common practice.\n\nHowever, it is technically possible to manually backport the 2.11.1 or 1.8.4 fix, replacing the corresponding components of an unpatched version of Scrapy with patched versions copied into your own code.\n\n### Acknowledgements\n\nThis security issue was reported by @dmandefy [through huntr.com](https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb/).","aliases":[{"alias":"GHSA-7j7m-v7m3-jqm7"},{"alias":"GMS-2024-327"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40519?format=json","purl":"pkg:pypi/scrapy@1.8.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-atnw-pnvj-zkhp"},{"vulnerability":"VCID-n6z2-awrh-7kbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@1.8.4"},{"url":"http://public2.vulnerablecode.io/api/packages/40529?format=json","purl":"pkg:pypi/scrapy@2.11.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-n6z2-awrh-7kbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.11.1"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24022?format=json","purl":"pkg:pypi/scrapy@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4q2x-51p4-eygm"},{"vulnerability":"VCID-4yce-5hbd-4kbx"},{"vulnerability":"VCID-atnw-pnvj-zkhp"},{"vulnerability":"VCID-eps3-2rkz-r3gf"},{"vulnerability":"VCID-jrh5-kjau-xkar"},{"vulnerability":"VCID-meje-5upu-mqen"},{"vulnerability":"VCID-n6z2-awrh-7kbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/scrapy@2.0.0"}],"references":[{"reference_url":"https://docs.scrapy.org/en/latest/news.html#scrapy-2-11-1-2024-02-14","reference_id":"","reference_type":"","scores":[],"url":"https://docs.scrapy.org/en/latest/news.html#scrapy-2-11-1-2024-02-14"},{"reference_url":"https://github.com/scrapy/scrapy/commit/71b8741e3607cfda2833c7624d4ada87071aa8e5","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/scrapy/scrapy/commit/71b8741e3607cfda2833c7624d4ada87071aa8e5"},{"reference_url":"https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f"},{"reference_url":"https://github.com/advisories/GHSA-7j7m-v7m3-jqm7","reference_id":"GHSA-7j7m-v7m3-jqm7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7j7m-v7m3-jqm7"},{"reference_url":"https://github.com/scrapy/scrapy/security/advisories/GHSA-7j7m-v7m3-jqm7","reference_id":"GHSA-7j7m-v7m3-jqm7","reference_type":"","scores":[],"url":"https://github.com/scrapy/scrapy/security/advisories/GHSA-7j7m-v7m3-jqm7"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":null,"exploitability":"0.5","weighted_severity":"0.0","risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eps3-2rkz-r3gf"}