CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
EPSS
Percentile
9.0%
Scrapy limits allowed response sizes by default through the DOWNLOAD_MAXSIZE
and DOWNLOAD_WARNSIZE
settings.
However, those limits were only being enforced during the download of the raw, usually-compressed response bodies, and not during decompression, making Scrapy vulnerable to decompression bombs.
A malicious website being scraped could send a small response that, on decompression, could exhaust the memory available to the Scrapy process, potentially affecting any other process sharing that memory, and affecting disk usage in case of uncompressed response caching.
Upgrade to Scrapy 2.11.1.
If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead.
There is no easy workaround.
Disabling HTTP decompression altogether is impractical, as HTTP compression is a rather common practice.
However, it is technically possible to manually backport the 2.11.1 or 1.8.4 fix, replacing the corresponding components of an unpatched version of Scrapy with patched versions copied into your own code.
This security issue was reported by @dmandefy through huntr.com.
docs.scrapy.org/en/latest/news.html#scrapy-2-11-1-2024-02-14
github.com/advisories/GHSA-7j7m-v7m3-jqm7
github.com/scrapy/scrapy/commit/71b8741e3607cfda2833c7624d4ada87071aa8e5
github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f
github.com/scrapy/scrapy/security/advisories/GHSA-7j7m-v7m3-jqm7
huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb
nvd.nist.gov/vuln/detail/CVE-2024-3572