https://bugzilla.suse.com/show_bug.cgi?id=1221986 Bug ID: 1221986 Summary: VUL-0: : python-Scrapy: decompression bomb vulnerability Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: andrea.mattiazzo@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Scrapy limits allowed response sizes by default through the DOWNLOAD_MAXSIZE and DOWNLOAD_WARNSIZE settings. However, those limits were only being enforced during the download of the raw, usually-compressed response bodies, and not during decompression, making Scrapy vulnerable to decompression bombs. A malicious website being scraped could send a small response that, on decompression, could exhaust the memory available to the Scrapy process, potentially affecting any other process sharing that memory, and affecting disk usage in case of uncompressed response caching. References: https://github.com/scrapy/scrapy/security/advisories/GHSA-7j7m-v7m3-jqm7 -- You are receiving this mail because: You are on the CC list for the bug.