CVE-2024-3572

Name of the Vulnerable Software and Affected Versions scrapy/scrapy (affected versions not specified)

Description The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This issue allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data. Additionally, Scrapy is vulnerable to decompression bombs, which could exhaust the memory available to the Scrapy process.

Recommendations Upgrade to Scrapy 2.11.1. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead. As a temporary workaround, consider manually backporting the 2.11.1 or 1.8.4 fix, replacing the corresponding components of an unpatched version of Scrapy with patched versions copied into your own code.