Scrapy limits allowed response sizes by default through the DOWNLOAD_MAXSIZE
and DOWNLOAD_WARNSIZE settings.

However, those limits were only being enforced during the download of the raw,
usually-compressed response bodies, and not during decompression, making Scrapy
vulnerable to decompression bombs.

A malicious website being scraped could send a small response that, on
decompression, could exhaust the memory available to the Scrapy process,
potentially affecting any other process sharing that memory, and affecting disk
usage in case of uncompressed response caching.

References:
https://github.com/scrapy/scrapy/security/advisories/GHSA-7j7m-v7m3-jqm7