Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jYzY1LXh4dmYtZjdyOc4AA5UB
Scrapy vulnerable to ReDoS via XMLFeedSpider
Impact
The following parts of the Scrapy API were found to be vulnerable to a ReDoS attack:
-
The
XMLFeedSpider
class or any subclass that uses the default node iterator:iternodes
, as well as direct uses of thescrapy.utils.iterators.xmliter
function. -
Scrapy 2.6.0 to 2.11.0: The
open_in_browser
function for a response without a base tag.
Handling a malicious response could cause extreme CPU and memory usage during the parsing of its content, due to the use of vulnerable regular expressions for that parsing.
Patches
Upgrade to Scrapy 2.11.1.
If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead.
Workarounds
For XMLFeedSpider
, switch the node iterator to xml
or html
.
For open_in_browser
, before using the function, either manually review the response content to discard a ReDos attack or manually define the base tag to avoid its automatic definition by open_in_browser
later.
Acknowledgements
This security issue was reported by @nicecatch2000 through huntr.com.
Permalink: https://github.com/advisories/GHSA-cc65-xxvf-f7r9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jYzY1LXh4dmYtZjdyOc4AA5UB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 months ago
Updated: 8 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Percentage: 0.00043
EPSS Percentile: 0.10511
Identifiers: GHSA-cc65-xxvf-f7r9, CVE-2024-1892
References:
- https://github.com/scrapy/scrapy/security/advisories/GHSA-cc65-xxvf-f7r9
- https://docs.scrapy.org/en/latest/news.html#scrapy-1-8-4-2024-02-14
- https://docs.scrapy.org/en/latest/news.html#scrapy-2-11-1-2024-02-14
- https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5
- https://github.com/scrapy/scrapy/commit/73e7c0ed011a0565a1584b8052ec757b54e5270b
- https://github.com/advisories/GHSA-cc65-xxvf-f7r9
Blast Radius: 25.8
Affected Packages
pypi:scrapy
Dependent packages: 136Dependent repositories: 2,753
Downloads: 1,377,165 last month
Affected Version Ranges: < 1.8.4, >= 2, < 2.11.1
Fixed in: 1.8.4, 2.11.1
All affected versions: 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.16.5, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.18.4, 0.20.0, 0.20.1, 0.20.2, 0.22.0, 0.22.1, 0.22.2, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.24.4, 0.24.5, 0.24.6, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.8.0, 2.9.0, 2.10.0, 2.10.1, 2.11.0
All unaffected versions: 1.8.4, 2.11.1, 2.11.2, 2.12.0