7.5

CVSS Score

3.0

Basic Information

CVE ID

GHSA ID

GHSA-rmqv-7v3j-mr7p

EPSS Score

CWE

CWE-409

Published

4/16/2024

Updated

4/16/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-rmqv-7v3j-mr7p

GHSA-rmqv-7v3j-mr7p: Duplicate Advisory: Scrapy decompression bomb vulnerability

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-7j7m-v7m3-jqm7. This link is maintained to preserve external references.

Original Description

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

GHSA ID

GHSA-rmqv-7v3j-mr7p

EPSS Score

CWE

CWE-409

Published

4/16/2024

Updated

4/16/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
scrapy	pip	< 2.11.1	2.11.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of decompressed data size limits. The key evidence is:

The CWE-409 (Data Amplification) classification and advisory description about decompression bombs
Commit changes adding DOWNLOAD_MAXSIZE/DOWNLOAD_WARNSIZE checks during decompression
Removal of bulk decompression in httpcompression.py and replacement with chunked decompression in _compression.py
Test cases added for 'bomb' payloads across multiple compression formats

The original _decode() and gunzip() functions lacked incremental size tracking, allowing small compressed inputs to decompress to massive outputs. The patch introduced chunked decompression with size monitoring in _inflate/_unbrotli/_unzstd helpers, confirming the vulnerability existed in these functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## *upli**t* **visory T*is **visory **s ***n wit**r*wn ****us* it is * *upli**t* o* **S*-*j*m-v*m*-jqm*. T*is link is m*int*in** to pr*s*rv* *xt*rn*l r***r*n**s. ## Ori*in*l **s*ription T** s*r*py/s*r*py proj**t is vuln*r**l* to XML *xt*rn*l *ntity

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* ***ompr*ss** **t* siz* limits. T** k*y *vi**n** is: *. T** *W*-*** (**t* *mpli*i**tion) *l*ssi*i**tion *n* **visory **s*ription **out ***ompr*ssion *om*s *. *ommit ***n**s ***in* *OWNLO**_M*XSIZ*/*OWN

7.5

Basic Information

Concerned about an active attack path?

GHSA-rmqv-7v3j-mr7p: Duplicate Advisory: Scrapy decompression bomb vulnerability

Duplicate Advisory

Original Description

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI