Improper handling of highly compressed data in scrapy - #VU127074
Published: February 14, 2024 / Updated: April 23, 2026
Vulnerability identifier: #VU127074
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-409
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
scrapy
scrapy
Software vendor:
scrapy.org
scrapy.org
Description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper handling of highly compressed data in HTTP response decompression when processing compressed response bodies from scraped websites. A remote attacker can send a specially crafted compressed response to cause a denial of service.
Memory exhaustion may affect other processes sharing the same memory, and disk usage may also be affected when uncompressed response caching is enabled.
Remediation
Install security update from vendor's website.