CVE-2024-3572 - Vulnerability Details - OpenCVE

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00157.

Key SSVC decision points have not yet been added.

Vendors	Products
Scrapy	Scrapy

Configuration 1 [-]

cpe:2.3:a:scrapy:scrapy:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-0557	The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.
Github GHSA	GHSA-7j7m-v7m3-jqm7	Scrapy decompression bomb vulnerability
Ubuntu USN	USN-7476-1	Scrapy vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f
https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb

History

Mon, 28 Jul 2025 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Scrapy Scrapy scrapy
CPEs		cpe:2.3:a:scrapy:scrapy::::::::
Vendors & Products		Scrapy Scrapy scrapy

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-04-16T00:00:14.499Z

Updated: 2024-08-01T20:12:07.961Z

Reserved: 2024-04-10T09:54:09.923Z

Link: CVE-2024-3572

Vulnrichment

Updated: 2024-08-01T20:12:07.961Z

NVD

Status : Analyzed

Published: 2024-04-16T00:15:12.387

Modified: 2025-07-28T14:49:45.790

Link: CVE-2024-3572

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3572", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-04-10T09:54:09.923Z", "datePublished": "2024-04-16T00:00:14.499Z", "dateUpdated": "2024-08-01T20:12:07.961Z"}, "containers": {"cna": {"title": "XML External Entity (XXE) Vulnerability in scrapy/scrapy", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-04-16T11:10:55.785Z"}, "descriptions": [{"lang": "en", "value": "The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data. "}], "affected": [{"vendor": "scrapy", "product": "scrapy/scrapy", "versions": [{"version": "unspecified", "lessThan": "2.11.1", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb"}, {"url": "https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)", "cweId": "CWE-409"}]}], "source": {"advisory": "c4a0fac9-0c5a-4718-9ee4-2d06d58adabb", "discovery": "EXTERNAL"}}, "adp": [{"affected": [{"vendor": "scrapy", "product": "scrapy", "cpes": ["cpe:2.3:a:scrapy:scrapy:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.11.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-04-18T15:21:44.587736Z", "id": "CVE-2024-3572", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T15:50:19.103Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:12:07.961Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb", "tags": ["x_transferred"]}, {"url": "https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb", "tags": ["x_transferred"]}, {"url": "https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:12:07.961Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3572", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-18T15:21:44.587736Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:scrapy:scrapy:*:*:*:*:*:*:*:*"], "vendor": "scrapy", "product": "scrapy", "versions": [{"status": "affected", "version": "0", "lessThan": "2.11.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T15:50:04.724Z"}}], "cna": {"title": "XML External Entity (XXE) Vulnerability in scrapy/scrapy", "source": {"advisory": "c4a0fac9-0c5a-4718-9ee4-2d06d58adabb", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "scrapy", "product": "scrapy/scrapy", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "2.11.1", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb"}, {"url": "https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f"}], "descriptions": [{"lang": "en", "value": "The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data. "}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-409", "description": "CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-04-16T11:10:55.785Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3572", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:12:07.961Z", "dateReserved": "2024-04-10T09:54:09.923Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2024-04-16T00:00:14.499Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:scrapy:scrapy:*:*:*:*:*:*:*:*", "matchCriteriaId": "99249052-7A1E-4B27-9201-E420B8FB7782", "versionEndExcluding": "2.11.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data. "}, {"lang": "es", "value": "El proyecto scrapy/scrapy es vulnerable a ataques de entidades externas XML (XXE) debido al uso de lxml.etree.fromstring para analizar datos XML que no son de confianza sin la validaci\u00f3n adecuada. Esta vulnerabilidad permite a los atacantes realizar ataques de denegaci\u00f3n de servicio, acceder a archivos locales, generar conexiones de red o eludir firewalls enviando datos XML especialmente manipulados."}], "id": "CVE-2024-3572", "lastModified": "2025-07-28T14:49:45.790", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2024-04-16T00:15:12.387", "references": [{"source": "security@huntr.dev", "tags": ["Patch"], "url": "https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Third Party Advisory", "Issue Tracking"], "url": "https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "Issue Tracking"], "url": "https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-409"}], "source": "security@huntr.dev", "type": "Secondary"}]}