Cleartext transmission of sensitive information in scrapy - #VU137025
Published: July 7, 2026
scrapy
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information and modify transmitted data.
The vulnerability exists due to cleartext transmission of sensitive information in the S3DownloadHandler when sending signed s3 requests over plaintext http by default. A remote attacker can observe or tamper with network traffic to disclose sensitive information and modify transmitted data.
Only requests made with AWS credentials are affected, and temporary credentials may expose the X-Amz-Security-Token.