Main Vulnerability Database Vulnerabilities #VU127069

Information disclosure in scrapy - #VU127069

Published: May 14, 2024 / Updated: April 23, 2026

Vulnerability identifier: #VU127069

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
scrapy

Software vendor:
scrapy.org

Description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the redirect handling logic when processing same-domain but cross-origin redirects. A remote attacker can perform a man-in-the-middle attack to disclose sensitive information.

The issue affects the Authorization header when the scheme or port changes while the domain remains the same.

Remediation

Install security update from vendor's website.

External links

https://github.com/scrapy/scrapy/security/advisories/GHSA-4qqq-9vqf-3h3f
https://github.com/advisories/GHSA-4qqq-9vqf-3h3f

Information disclosure in scrapy - #VU127069

Description

Remediation

External links

Please verify you're human