Name of the Vulnerable Software and Affected Versions Scrapy versions prior to 2.6.2 Scrapy versions prior to 1.8.3

Description The issue arises when the built-in HTTP proxy downloader middleware processes a request with proxy metadata that includes proxy credentials. In scenarios where third-party proxy-rotation downloader middlewares are used, the proxy metadata can be changed, but the Proxy-Authentication header from the previous proxy metadata may not be removed, leading to credential leakage. This affects users who rotate proxies from different providers and use credentials for any of those proxies.

Recommendations For Scrapy versions prior to 2.6.2, upgrade to Scrapy 2.6.2. For Scrapy versions prior to 1.8.3 where upgrading to Scrapy 2.6.2 is not an option, upgrade to Scrapy 1.8.3. As a temporary workaround, ensure that any code changing the proxy request meta also removes the Proxy-Authorization header from the request if present.