CVE-2024-39163: 
Python vulnerability analysis and mitigation

binux pyspider up to version 0.3.10 contains a Cross-Site Request Forgery (CSRF) vulnerability via the Flask endpoints. The vulnerability was discovered in September 2024 and disclosed in December 2024. This security issue affects the WebUI component of pyspider, a web crawling framework written in Python (NVD, Sonar Blog).

The vulnerability stems from the lack of CSRF protection in Flask endpoints combined with basic HTTP authentication. Unlike modern authentication methods that use cookies with SameSite attributes, the browser adds the Authorization header containing Basic auth credentials to all cross-site requests, making it susceptible to CSRF attacks. The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

An attacker can potentially execute arbitrary code on the host running pyspider by manipulating an authenticated victim to click on a malicious link. This is particularly severe as the WebUI component of pyspider allows project management and code execution by design (Sonar Blog).

After the vulnerability was reported, the maintainer has archived the repository on GitHub to indicate that the project is no longer maintained. Users are recommended to avoid using unmaintained code, or as a last resort, disable the WebUI component of pyspider (Sonar Blog).