What is CVE-2024-3572?

CVE-2024-3572 is a high-severity vulnerability in Scrapy Scrapy/scrapy, classified under Improper Handling of Highly Compressed Data (Data Amplification). CVSS score: 7.5/10. Published 2024-04-16.

How severe is CVE-2024-3572?

High severity. CVSS v3 base score is 7.5 out of 10.

Is CVE-2024-3572 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Scrapy Scrapy/scrapy

CVE-2024-3572

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service…

EPSS: 0.002 (36.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Scrapy Scrapy/scrapy — versions unspecified

Weakness classification (CWE)

CWE-409 — Improper Handling of Highly Compressed Data (Data Amplification)

Public proof-of-concept exploits

leoambrus/artefactswithoutCVEonGitHubAdvisoryDatabase

References

Frequently asked questions

What is CVE-2024-3572?: CVE-2024-3572 is a high-severity vulnerability in Scrapy Scrapy/scrapy, classified under Improper Handling of Highly Compressed Data (Data Amplification). CVSS score: 7.5/10. Published 2024-04-16.
How severe is CVE-2024-3572?: High severity. CVSS v3 base score is 7.5 out of 10.
Is CVE-2024-3572 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.