CVE-2024-3572

CVE Database · CVE-2024-3572

CVE-2024-3572

· N/AAnalyzed

CVSS v3.1

N/A

EPSS

0.81%

Published

Apr 15, 2024

Modified

Jul 28, 2025

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.

Weaknesses (CWE)

CWE-409

Affected Products (1)

scrapy · scrapy (up to 2.11.1)vulnerable

References (4)

https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f

Patch

https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb

ExploitIssue TrackingThird Party Advisory

https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f

Patch

https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb

ExploitIssue TrackingThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs