CVE-2024-1892

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive.
Configurations

No configuration.

History

16 Apr 2024, 12:15

Type Values Removed Values Added
Summary
  • (es) Se descubrió que partes de la API Scrapy eran vulnerables a un ataque ReDoS. Manejar una respuesta maliciosa podría causar un uso extremo de CPU y memoria durante el análisis de su contenido, debido al uso de expresiones regulares vulnerables para ese análisis.
Summary (en) Parts of the Scrapy API were found to be vulnerable to a ReDoS attack. Handling a malicious response could cause extreme CPU and memory usage during the parsing of its content, due to the use of vulnerable regular expressions for that parsing. (en) A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive.

28 Feb 2024, 00:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-28 00:15

Updated : 2024-04-16 12:15


NVD link : CVE-2024-1892

Mitre link : CVE-2024-1892

CVE.ORG link : CVE-2024-1892


JSON object : View

Products Affected

No product.

CWE
CWE-1333

Inefficient Regular Expression Complexity