Improper access control in scrapy - CVE-2021-41125
Published: October 6, 2021 / Updated: April 23, 2026
Vulnerability identifier: #VU127079
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-41125
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
scrapy
scrapy
Software vendor:
scrapy.org
scrapy.org
Description
The vulnerability allows a remote attacker to disclose HTTP authentication credentials.
The vulnerability exists due to improper access control in HttpAuthMiddleware when handling requests to target websites. A remote attacker can trigger requests, redirects, or auxiliary requests to receive the configured HTTP authentication credentials and disclose HTTP authentication credentials.
This includes requests generated by Scrapy components such as robots.txt requests when ROBOTSTXT_OBEY is enabled, as well as requests reached through redirects.
Remediation
Install security update from vendor's website.