A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive.
Weakness
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Scrapy | Scrapy | * | 2.11.1 (excluding) |
| Python-scrapy | Ubuntu | bionic | * |
| Python-scrapy | Ubuntu | esm-apps/bionic | * |
| Python-scrapy | Ubuntu | esm-apps/focal | * |
| Python-scrapy | Ubuntu | esm-apps/jammy | * |
| Python-scrapy | Ubuntu | esm-apps/xenial | * |
| Python-scrapy | Ubuntu | focal | * |
| Python-scrapy | Ubuntu | jammy | * |
| Python-scrapy | Ubuntu | mantic | * |
| Python-scrapy | Ubuntu | trusty | * |
| Python-scrapy | Ubuntu | upstream | * |
| Python-scrapy | Ubuntu | xenial | * |
Extended Description
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.