CVE-2021-41125

Name of the Vulnerable Software and Affected Versions Scrapy versions prior to 2.5.1 Scrapy versions 1.8 and earlier

Description The issue affects Scrapy when using HttpAuthMiddleware for HTTP authentication, causing all requests to expose credentials to the request target. This includes requests generated by Scrapy components, such as robots.txt requests or requests reached through redirects.

Recommendations For Scrapy versions prior to 2.5.1, upgrade to Scrapy 2.5.1 and use the new http auth domain spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. For Scrapy versions 1.8 and earlier, upgrade to Scrapy 1.8.1 if upgrading to Scrapy 2.5.1 is not an option. If upgrading is not possible, set HTTP authentication credentials on a per-request basis using the w3lib.http.basic auth header function to convert credentials into a value that can be assigned to the Authorization header of the request.