Scrapy (Python) – Support, CVEs & Health

GHSA-23j4-mw76-5v7h CVSS_V3

Scrapy allows redirect following in protocols other than HTTP

Published: 2024-05-14 Fixed in: 2.11.2

GHSA-2qfp-q593-8484 CVSS_V3

Scrapy is vulnerable to a denial of service (DoS) attack due to flaws in brotli decompression implementation

Published: 2025-10-31 Fixed in: 1.2.0

GHSA-4qqq-9vqf-3h3f CVSS_V3

Scrapy leaks the authorization header on same-domain but cross-origin redirects

Published: 2024-05-14 Fixed in: 2.11.2

GHSA-7j7m-v7m3-jqm7 CVSS_V3

Scrapy decompression bomb vulnerability

Published: 2024-02-16 Fixed in: 2.11.1

GHSA-9x8m-2xpf-crp3 Unknown

Scrapy before 2.6.2 and 1.8.3 vulnerable to one proxy sending credentials to another

Published: 2022-07-29 Fixed in: 1.8.3

GHSA-cc65-xxvf-f7r9 CVSS_V3

Scrapy vulnerable to ReDoS via XMLFeedSpider

Published: 2024-02-15 Fixed in: 2.11.1

GHSA-cjvr-mfj7-j4j8 CVSS_V3

Incorrect Authorization and Exposure of Sensitive Information to an Unauthorized Actor in scrapy

Published: 2022-03-01 Fixed in: 1.8.2

GHSA-cw9j-q3vf-hrrv CVSS_V3

Scrapy authorization header leakage on cross-domain redirect

Published: 2024-02-15 Fixed in: 2.11.1

GHSA-cwxj-rr6w-m6w7 CVSS_V3

Scrapy: Arbitrary Module Import via Referrer-Policy Header in RefererMiddleware

Published: 2026-03-13 Fixed in: 2.14.2

GHSA-h7wm-ph43-c39p CVSS_V3

Scrapy denial of service vulnerability

Published: 2022-05-17 No fix available

Scrapy