CVE-2024-3572

HIGH

Scrapy 2.0.0-2.11.1 - XML External Entity Injection via lxml Parsing

Title source: manual

Description

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.

References (2)

Core 2

Core References

Patch

https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f

View Patch ZIP pw:eip

Exploit, Issue Tracking, Third Party Advisory

https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb

Scores

CVSS v3 7.5

EPSS 0.0081

EPSS Percentile 52.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-409

Status published

Products (2)

pypi/scrapy 2.0.0 - 2.11.1PyPI

scrapy/scrapy < 2.11.1

Published Apr 16, 2024

Tracked Since Feb 18, 2026