CVE-2024-1892

Name of the Vulnerable Software and Affected Versions Scrapy versions 2.6.0 through 2.11.0 Scrapy versions prior to 1.8.4

Description A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the Scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive. Handling a malicious response could cause extreme CPU and memory usage during the parsing of its content, due to the use of vulnerable regular expressions for that parsing.

Recommendations For Scrapy versions 2.6.0 through 2.11.0, upgrade to Scrapy 2.11.1. For Scrapy versions prior to 1.8.4, upgrade to Scrapy 1.8.4. As a temporary workaround for XMLFeedSpider, switch the node iterator to xml or html. For open in browser, before using the function, either manually review the response content to discard a ReDoS attack or manually define the base tag to avoid its automatic definition by open in browser later.