CVE-2021-41124

Name of the Vulnerable Software and Affected Versions scrapy-splash versions prior to 0.8.0

Description The issue affects users who utilize HttpAuthMiddleware for Splash authentication, causing non-Splash requests to expose credentials to the request target. This includes robots.txt requests sent by Scrapy when the ROBOTSTXT OBEY setting is set to True.

Recommendations Upgrade to scrapy-splash 0.8.0 and use the new SPLASH USER and SPLASH PASS settings to set Splash authentication credentials safely. If you cannot upgrade, set your Splash request credentials on a per-request basis using the splash headers request parameter, instead of defining them globally using the HttpAuthMiddleware. Alternatively, make sure all your requests go through Splash by disabling the robots.txt middleware.