CVE-2022-0577

Name of the Vulnerable Software and Affected Versions scrapy versions prior to 2.6.1

Description The issue concerns the exposure of sensitive information to unauthorized actors. When a Request object is manually defined with cookies and receives a redirect response, the new Request object scheduled to follow the redirect retains those user-defined cookies, regardless of the target domain. This can lead to cookie leaks to unintended domains.

Recommendations For versions prior to 2.6.1, upgrade to Scrapy 2.6.0, which resets cookies when creating Request objects to follow redirects and drops the Cookie header if manually-defined cookies do not match the redirect target URL domain name. If upgrading to Scrapy 2.6.0 is not an option and you are using Scrapy 1.8 or a lower version, upgrade to Scrapy 1.8.2 instead. As a temporary workaround, set cookies using a list of dictionaries instead of a single dictionary, and set the right domain for each cookie. Alternatively, consider disabling cookies altogether or limiting target domains to trusted ones.