A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive.
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Python-scrapy | Ubuntu | bionic | * |
| Python-scrapy | Ubuntu | mantic | * |
| Python-scrapy | Ubuntu | trusty | * |
| Python-scrapy | Ubuntu | xenial | * |
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.