High severityNVD Advisory· Published Feb 28, 2024· Updated Aug 11, 2024
ReDoS Vulnerability in scrapy/scrapy's XMLFeedSpider
CVE-2024-1892
Description
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
scrapyPyPI | >= 2, < 2.11.1 | 2.11.1 |
scrapyPyPI | < 1.8.4 | 1.8.4 |
Affected products
2Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-cc65-xxvf-f7r9ghsaADVISORY
- docs.scrapy.org/en/latest/news.htmlghsaWEB
- docs.scrapy.org/en/latest/news.htmlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/scrapy/PYSEC-2024-162.yamlghsaWEB
- github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5ghsaWEB
- github.com/scrapy/scrapy/commit/73e7c0ed011a0565a1584b8052ec757b54e5270bghsaWEB
- github.com/scrapy/scrapy/security/advisories/GHSA-cc65-xxvf-f7r9ghsaWEB
- huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26bghsaWEB
News mentions
0No linked articles in our index yet.