Scrapy vulnerable to ReDoS via XMLFeedSpider
GHSA-cc65-xxvf-f7r9 · CVE-2024-1892 · PYSEC-2024-162
Published · Modified
Description
Impact
The following parts of the Scrapy API were found to be vulnerable to a ReDoS attack:
The
XMLFeedSpiderclass or any subclass that uses the default node iterator:iternodes, as well as direct uses of thescrapy.utils.iterators.xmliterfunction.Scrapy 2.6.0 to 2.11.0: The
open_in_browserfunction for a response without a base tag.
Handling a malicious response could cause extreme CPU and memory usage during the parsing of its content, due to the use of vulnerable regular expressions for that parsing.
Patches
Upgrade to Scrapy 2.11.1.
If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead.
Workarounds
For XMLFeedSpider, switch the node iterator to xml or html.
For open_in_browser, before using the function, either manually review the response content to discard a ReDos attack or manually define the base tag to avoid its automatic definition by open_in_browser later.
Acknowledgements
This security issue was reported by @nicecatch2000 through huntr.com.
References
- WEB https://github.com/scrapy/scrapy/security/advisories/GHSA-cc65-xxvf-f7r9
- WEB https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5
- WEB https://github.com/scrapy/scrapy/commit/73e7c0ed011a0565a1584b8052ec757b54e5270b
- WEB https://docs.scrapy.org/en/latest/news.html#scrapy-1-8-4-2024-02-14
- WEB https://docs.scrapy.org/en/latest/news.html#scrapy-2-11-1-2024-02-14
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/scrapy/PYSEC-2024-162.yaml
- PACKAGE https://github.com/scrapy/scrapy
- WEB https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b
Ready to move
Start Securing
Free, no credit card | First findings in minutes