CVE-2024-1892 ReDoS Vulnerability in scrapy/scrapy's XMLFeedSpider

2024-02-2800:00:14

CWE-1333

@huntr_ai

www.cve.org

cve-2024-1892

redos vulnerability

scrapy/scrapy

xmlfeedspider

regular expression denial of service

parsing

xml content

denial-of-service

dos

resource consumption

unresponsive services

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

9.1%

JSON

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive.

CNA Affected

[
  {
    "vendor": "scrapy",
    "product": "scrapy/scrapy",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "2.11",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]