Unsafe Reflection Affecting scrapy package, versions [1.4.0,2.14.2)

Q: How to fix?

Upgrade Scrapy to version 2.14.2 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-PYTHON-SCRAPY-15624315
published15 Mar 2026
disclosed13 Mar 2026
creditTomer Fichman

Report a new vulnerability Found a mistake?

Introduced: 13 Mar 2026

NewCWE-470 (opens in a new tab)

How to fix?

Upgrade Scrapy to version 2.14.2 or higher.

Overview

Scrapy is a high-level web crawling and web scraping framework, used to crawl websites and extract structured data from their pages.

Affected versions of this package are vulnerable to Unsafe Reflection via the Referrer-Policy header handled by RefererMiddleware(). An attacker can execute commands by supplying a malicious import path such as sys.exit in the response header which is read by the vulnerable application.

Workaround

This vulnerability can be avoided by disabling the middleware, setting the REFERER_ENABLED setting to False, manually setting the Referer header, or setting the referrer_policy meta key on all requests.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
Passive

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None