6.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-23j4-mw76-5v7h

EPSS Score

CWE

CWE-552

Published

5/14/2024

Updated

5/14/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-23j4-mw76-5v7h

GHSA-23j4-mw76-5v7h: Scrapy allows redirect following in protocols other than HTTP

Impact

Scrapy was following redirects regardless of the URL protocol, so redirects were working for data://, file://, ftp://, s3://, and any other scheme defined in the DOWNLOAD_HANDLERS setting.

However, HTTP redirects should only work between URLs that use the http:// or https:// schemes.

A malicious actor, given write access to the start requests (e.g. ability to define start_urls) of a spider and read access to the spider output, could exploit this vulnerability to:

Redirect to any local file using the file:// scheme to read its contents.
Redirect to an ftp:// URL of a malicious FTP server to obtain the FTP username and password configured in the spider or project.
Redirect to any s3:// URL to read its content using the S3 credentials configured in the spider or project.

For file:// and s3://, how the spider implements its parsing of input data into an output item determines what data would be vulnerable. A spider that always outputs the entire contents of a response would be completely vulnerable, while a spider that extracted only fragments from the response could significantly limit vulnerable data.

Patches

Upgrade to Scrapy 2.11.2.

Workarounds

Replace the built-in retry middlewares (RedirectMiddleware and MetaRefreshMiddleware) with custom ones that implement the fix from Scrapy 2.11.2, and verify that they work as intended.

References

This security issue was reported by @mvsantos at https://github.com/scrapy/scrapy/issues/457.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-23j4-mw76-5v7h

EPSS Score

CWE

CWE-552

Published

5/14/2024

Updated

5/14/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Scrapy	pip	< 2.11.2	2.11.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from redirect handling logic in two middleware classes. The commit diff shows both were modified to add scheme validation checks ({'http', 'https'}). Prior to the patch:

RedirectMiddleware blindly followed Location headers without scheme validation
MetaRefreshMiddleware processed refresh tags without scheme checks These functions directly handled redirect resolution and were missing protocol restrictions, making them the root cause of the vulnerability. The high confidence comes from the direct correlation between the vulnerability description and the patched code locations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t S*r*py w*s *ollowin* r**ir**ts r***r*l*ss o* t** URL proto*ol, so r**ir**ts w*r* workin* *or `**t*://`, `*il*://`, `*tp://`, `s*://`, *n* *ny ot**r s***m* ***in** in t** `*OWNLO**_**N*L*RS` s*ttin*. *ow*v*r, *TTP r**ir**ts s*oul* only wo

Reasoning

T** vuln*r**ility st*ms *rom r**ir**t **n*lin* lo*i* in two mi**l*w*r* *l*ss*s. T** *ommit *i** s*ows *ot* w*r* mo*i*i** to *** s***m* v*li**tion ****ks ({'*ttp', '*ttps'}). Prior to t** p*t**: *. R**ir**tMi**l*w*r* *lin*ly *ollow** Lo**tion *****rs

6.5

Basic Information

Concerned about an active attack path?

GHSA-23j4-mw76-5v7h: Scrapy allows redirect following in protocols other than HTTP

Impact

Patches

Workarounds

References

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI