CVE-2024-3574

Name of the Vulnerable Software and Affected Versions Scrapy versions prior to 2.11.1

Description The issue arises from the failure to remove the Authorization header when redirecting across domains, potentially allowing for account hijacking. This occurs when a request with the Authorization header is sent to one domain, and the response asks to redirect to a different domain, causing Scrapy's built-in redirect middleware to create a follow-up redirect request that keeps the original Authorization header. The correct behavior would be to drop the Authorization header in this scenario.

Recommendations For Scrapy versions prior to 2.11.1, upgrade to Scrapy 2.11.1 to resolve the issue. If upgrading to Scrapy 2.11.1 is not an option and you are using Scrapy 1.8 or a lower version, upgrade to Scrapy 1.8.4 instead. As a temporary workaround, consider disabling the use of the Authorization header, either directly or through some third-party plugin. For requests that require the use of the Authorization header, add "dont redirect": True to the request.meta dictionary to disable following redirects for those requests. If same-domain redirect support is needed for requests using the Authorization header, ensure that the target website is trusted not to redirect requests to a different domain.