logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-3572 scrapy

Package

Manager: pip
Name: scrapy
Vulnerable Version: >=2.0.0 <2.11.1 || >=0 <1.8.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00114 pctl0.30657

Details

Scrapy decompression bomb vulnerability ### Impact Scrapy limits allowed response sizes by default through the [`DOWNLOAD_MAXSIZE`](https://docs.scrapy.org/en/latest/topics/settings.html#download-maxsize) and [`DOWNLOAD_WARNSIZE`](https://docs.scrapy.org/en/latest/topics/settings.html#download-warnsize) settings. However, those limits were only being enforced during the download of the raw, usually-compressed response bodies, and not during decompression, making Scrapy vulnerable to [decompression bombs](https://cwe.mitre.org/data/definitions/409.html). A malicious website being scraped could send a small response that, on decompression, could exhaust the memory available to the Scrapy process, potentially affecting any other process sharing that memory, and affecting disk usage in case of uncompressed response caching. ### Patches Upgrade to Scrapy 2.11.1. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead. ### Workarounds There is no easy workaround. Disabling HTTP decompression altogether is impractical, as HTTP compression is a rather common practice. However, it is technically possible to manually backport the 2.11.1 or 1.8.4 fix, replacing the corresponding components of an unpatched version of Scrapy with patched versions copied into your own code. ### Acknowledgements This security issue was reported by @dmandefy [through huntr.com](https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb/).

Metadata

Created: 2024-02-16T16:07:13Z
Modified: 2024-04-16T14:05:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-7j7m-v7m3-jqm7/GHSA-7j7m-v7m3-jqm7.json
CWE IDs: ["CWE-409"]
Alternative ID: GHSA-7j7m-v7m3-jqm7
Finding: F159
Auto approve: 1