Origin validation error in scrapy - #VU127077
Published: March 1, 2022 / Updated: April 23, 2026
Vulnerability identifier: #VU127077
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-346
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
scrapy
scrapy
Software vendor:
scrapy.org
scrapy.org
Description
The vulnerability allows a remote attacker to inject cookies into requests sent to other domains sharing the same public suffix.
The vulnerability exists due to improper cookie domain validation in the cookie handling logic when processing responses from domain names whose public suffix contains one or more periods. A remote attacker can send a response that sets a crafted cookie domain to inject cookies into requests sent to other domains sharing the same public suffix.
This affects public domain suffixes that contain one or more periods, such as co.uk.
Remediation
Install security update from vendor's website.