Scrapy Denial-of-Service Vulnerability via Brotli Decompression Bomb

A denial-of-service vulnerability has been identified in Scrapy versions prior to 2.13.2. The issue arises from the application's Brotli decompression handling, which fails to adequately protect against decompression bombs. This flaw allows remote servers to cause clients with less than 80GB of available memory to crash. The vulnerability exploits Brotli's ability to achieve high compression ratios with zero-filled data, leading to excessive memory use during decompression.

Impact

Exploitation of this vulnerability can cause Scrapy clients to run out of memory and crash.

Reproduction

The vulnerability can be reproduced by generating a Brotli compression bomb using a tool like 'dd' to create a 64GB file of zeroes, compressing it with Brotli, and then serving it from a web server. When a Scrapy spider is made to visit the server, the client will crash due to the memory overload.

Remediation

Users are advised to update to Scrapy version 2.13.2 or later, once the Brotli issue in the Python bindings has been resolved.