Cleartext transmission of sensitive information in scrapy - #VU137025

 

Cleartext transmission of sensitive information in scrapy - #VU137025

Published: July 7, 2026


Vulnerability identifier: #VU137025
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-319
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: scrapy.org
Affected software:
scrapy

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information and modify transmitted data.

The vulnerability exists due to cleartext transmission of sensitive information in the S3DownloadHandler when sending signed s3 requests over plaintext http by default. A remote attacker can observe or tamper with network traffic to disclose sensitive information and modify transmitted data.

Only requests made with AWS credentials are affected, and temporary credentials may expose the X-Amz-Security-Token.


Remediation

Install security update from vendor's website.

Sources