Scrapy is a widely used PyPI package. As of 2026-05-24, there are 18 known vulnerabilities in the OSV database. The latest stable version is 2.16.0. Developers should audit their dependency trees and update to patched versions.
Package Overview
Known Vulnerabilities (18)
| ID | Severity | Score | Affected Versions | Fixed In | Description |
|---|---|---|---|---|---|
| CVE-2025-6176 | HIGH | 7.5 | 0 to 1.2.0; 0 to 2.13.4 | 1.2.0 | Scrapy is vulnerable to a denial of service (DoS) attack due to flaws in brotli decompression implementation |
| CVE-2024-3572 | HIGH | 7.5 | 2.0.0 to 2.11.1; 0 to 1.8.4 | 2.11.1 | Scrapy decompression bomb vulnerability |
| CVE-2024-1892 | HIGH | 7.5 | 2 to 2.11.1; 0 to 1.8.4 | 2.11.1 | Scrapy vulnerable to ReDoS via XMLFeedSpider |
| CVE-2024-3574 | HIGH | 7.5 | 2 to 2.11.1; 0 to 1.8.4 | 2.11.1 | Scrapy authorization header leakage on cross-domain redirect |
| GHSA-cwxj-rr6w-m6w7 | HIGH | 7.5 | 1.4.0 to 2.14.2 | 2.14.2 | Scrapy: Arbitrary Module Import via Referrer-Policy Header in RefererMiddleware |
| CVE-2017-14158 | HIGH | 7.5 | >= 0.7 | N/A | Scrapy denial of service vulnerability |
| GHSA-23j4-mw76-5v7h | MODERATE | 5.0 | 0 to 2.11.2 | 2.11.2 | Scrapy allows redirect following in protocols other than HTTP |
| CVE-2024-1968 | MODERATE | 5.0 | 0 to 2.11.2 | 2.11.2 | Scrapy leaks the authorization header on same-domain but cross-origin redirects |
| GHSA-9x8m-2xpf-crp3 | MODERATE | 5.0 | 0 to 1.8.3; 2.0.0 to 2.6.2 | 1.8.3 | Scrapy before 2.6.2 and 1.8.3 vulnerable to one proxy sending credentials to another |
| CVE-2022-0577 | MODERATE | 5.0 | 0 to 1.8.2; 2.0.0 to 2.6.1 | 1.8.2 | Incorrect Authorization and Exposure of Sensitive Information to an Unauthorized Actor in scrapy |
| GHSA-jm3v-qxmh-hxwv | MODERATE | 5.0 | 0 to 2.11.2 | 2.11.2 | Scrapy's redirects ignoring scheme-specific proxy settings |
| CVE-2021-41125 | MODERATE | 5.0 | 0 to 1.8.1; 2.0.0 to 2.5.1 | 1.8.1 | Scrapy HTTP authentication credentials potentially leaked to target websites |
| GHSA-mfjm-vh54-3f96 | MODERATE | 5.0 | 0 to 1.8.2; 2.0.0 to 2.6.0 | 1.8.2 | Scrapy cookie-setting is not restricted based on the public suffix list |
| CVE-2017-14158 | UNKNOWN | - | >= 0.7 | N/A | Scrapy 1.4 allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files a |
| CVE-2021-41125 | UNKNOWN | - | 0 to b01d69a1bf48060daec8f751368622352d8b85a6; 2.0.0 to 2.5.1 | b01d69a1bf48060daec8f751368622352d8b85a6 | Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests wi |
| CVE-2022-0577 | UNKNOWN | - | 0 to 8ce01b3b76d4634f55067d6cfdf632ec70ba304a; 0 to 2.6.1 | 8ce01b3b76d4634f55067d6cfdf632ec70ba304a | Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1. |
| CVE-2024-1892 | UNKNOWN | - | 0 to 479619b340f197a8f24c5db45bc068fb8755f2c5; 0 to 2.11.1 | 479619b340f197a8f24c5db45bc068fb8755f2c5 | A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML conte |
| CVE-2024-1968 | UNKNOWN | - | 0 to 1d0502f25bbe55a22899af915623fda1aaeb9dd8; 2.0.0 to 2.11.2 | 1d0502f25bbe55a22899af915623fda1aaeb9dd8 | In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme (e.g., HTTPS to HTTP) but remain within the same domain. This behav |
Security Recommendations
- Pin Scrapy to the latest stable version (2.16.0) in your dependency manifest
- Enable automated dependency updates with Dependabot or Renovate
- Run regular vulnerability scans using
pip-audit - Review your lock file (requirements.txt) after every update
- Monitor the OSV database and NIST NVD for new advisories
FAQ
Is Scrapy safe to use?
Scrapy is actively maintained and widely used. As of 2026-05-24, there are 18 known vulnerabilities listed in the OSV database. Most have patches available. Keeping your dependencies updated and running regular security audits significantly reduces risk.
What vulnerabilities does Scrapy have?
The OSV database currently lists 18 vulnerabilities for Scrapy. These range in severity and are detailed in the vulnerability table above. Check the linked advisories for full technical details and remediation guidance.
How do I update Scrapy to fix vulnerabilities?
Run pip install --upgrade scrapy to get the newest version. Use pip-audit or safety check to scan for known vulnerabilities. Pin your dependencies with a requirements file and review updates regularly.
Using AI-Generated Code with Scrapy?
Our vibe coding security audit checks for misconfigurations, exposed secrets and vulnerable dependencies in AI-generated codebases. If your project uses Scrapy, we can verify it is locked to a safe version and properly configured.
Get a Vibe Coding Security Audit