7.5

CVE-2024-3572

Exploit

EPSS 0.16%
Published 16.04.2024 00:15:12
Last modified 28.07.2025 14:49:45
Source security@huntr.dev
Teams watchlist Login
Open Login

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.

Affected products Warnungen 0 Metrics 2 CWE 1 References 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Scrapy ≫ Scrapy Version < 2.11.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.16%	0.373

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
security@huntr.dev	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)

The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f

Patch

https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb

Third Party Advisory

Exploit

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2024-3572

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-3572

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-3572

EUVD