Unintended Proxy or Intermediary in scrapy - #VU127070
Published: May 14, 2024 / Updated: April 23, 2026
Vulnerability identifier: #VU127070
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-441
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
scrapy
scrapy
Software vendor:
scrapy.org
scrapy.org
Description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper handling of scheme-specific proxy settings in RedirectMiddleware, MetaRefreshMiddleware, and HttpProxyMiddleware when processing redirects that change URL schemes. A remote user can trigger a redirect between http and https URLs to disclose sensitive information.
Only deployments that use different system proxy configurations for HTTP and HTTPS are affected by the security impact.
Remediation
Install security update from vendor's website.