GHSA-mfjm-vh54-3f96: 
Python vulnerability analysis and mitigation

A moderate severity vulnerability was identified in Scrapy (GHSA-mfjm-vh54-3f96), affecting versions <1.8.2 and >=2.0.0, <2.6.0. The vulnerability was published on March 1, 2022, and involves cookie-setting functionality that is not properly restricted based on the public suffix list (GitHub Advisory).

The vulnerability allows responses from domain names with public domain name suffixes containing one or more periods (e.g., example.co.uk) to set cookies that are included in requests to any other domain sharing the same domain name suffix. This occurs because Scrapy does not properly validate cookie domains against the public suffix list (GitHub Advisory).

An attacker could exploit this vulnerability to inject cookies from a controlled domain into the victim's cookiejar, which could then be sent to other domains not controlled by the attacker. This could potentially lead to cookie injection attacks across domains sharing the same public suffix (GitHub Advisory).

Users are advised to upgrade to Scrapy 2.6.0 or later, which implements proper cookie domain restrictions based on the public suffix list. For users on Scrapy 1.8 or lower versions who cannot upgrade to 2.6.0, upgrading to version 1.8.2 is recommended. Alternatively, users can either disable cookies altogether or limit target domains to those that don't include public domain suffixes with periods (GitHub Advisory).