VulnerableCode Vulnerability Details - VCID-7732-kkkz-77ad

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-7732-kkkz-77ad

Essentials
Severities (5)
References (4)
Severity details (5)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-7732-kkkz-77ad
Aliases	GHSA-mfjm-vh54-3f96 GMS-2022-230
Summary	Scrapy cookie-setting is not restricted based on the public suffix list ### Impact Responses from domain names whose public domain name suffix contains 1 or more periods (e.g. responses from `example.co.uk`, given its public domain name suffix is `co.uk`) are able to set cookies that are included in requests to any other domain sharing the same domain name suffix. ### Patches Upgrade to Scrapy 2.6.0, which restricts cookies with their domain set to any of those in the [public suffix list](https://publicsuffix.org/). If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.6.0 is not an option, you may upgrade to Scrapy 1.8.2 instead. ### Workarounds The only workaround for unpatched versions of Scrapy is to [disable cookies altogether](https://docs.scrapy.org/en/latest/topics/downloader-middleware.html#std-setting-COOKIES_ENABLED), or [limit target domains](https://docs.scrapy.org/en/latest/topics/spiders.html#scrapy.spiders.Spider.allowed_domains) to a subset that does not include domain names with one of the public domain suffixes affected (those with 1 or more periods). ### References * https://publicsuffix.org/ ### For more information If you have any questions or comments about this advisory: * [Open an issue](https://github.com/scrapy/scrapy/issues) * [Email us](mailto:opensource@zyte.com)
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-mfjm-vh54-3f96
generic_textual	MODERATE	https://github.com/scrapy/scrapy
generic_textual	MODERATE	https://github.com/scrapy/scrapy/commit/e865c4430e58a4faa0e0766b23830f8423d6167a
cvssv3.1_qr	MODERATE	https://github.com/scrapy/scrapy/security/advisories/GHSA-mfjm-vh54-3f96
generic_textual	MODERATE	https://github.com/scrapy/scrapy/security/advisories/GHSA-mfjm-vh54-3f96

Reference id	Reference type	URL
		https://github.com/scrapy/scrapy
		https://github.com/scrapy/scrapy/commit/e865c4430e58a4faa0e0766b23830f8423d6167a
		https://github.com/scrapy/scrapy/security/advisories/GHSA-mfjm-vh54-3f96
GHSA-mfjm-vh54-3f96		https://github.com/advisories/GHSA-mfjm-vh54-3f96

No exploits are available.

No EPSS data available for this vulnerability.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-29T09:29:46.902939+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-mfjm-vh54-3f96/GHSA-mfjm-vh54-3f96.json	38.6.0