Description
The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.
References (2)
Core 2
Core References
Exploit, Issue Tracking, Third Party Advisory
https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb
Scores
CVSS v3
7.5
EPSS
0.0016
EPSS Percentile
36.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-409
Status
published
Products (2)
pypi/scrapy
2.0.0 - 2.11.1PyPI
scrapy/scrapy
< 2.11.1
Published
Apr 16, 2024
Tracked Since
Feb 18, 2026