Name of the Vulnerable Software and Affected Versions Scrapy versions prior to 2.11.2

Description The issue allows a malicious actor with write access to the start requests and read access to the spider output to exploit the vulnerability. This can be done by redirecting to any local file using the file:// scheme to read its contents, or to an ftp:// URL of a malicious FTP server to obtain the FTP username and password configured in the spider or project. Additionally, redirects to any s3:// URL can read its content using the S3 credentials configured in the spider or project. The vulnerability depends on how the spider implements its parsing of input data into an output item.

Recommendations Upgrade to Scrapy 2.11.2. As a temporary workaround, consider replacing the built-in retry middlewares (RedirectMiddleware and MetaRefreshMiddleware) with custom ones that implement the fix from Scrapy 2.11.2, and verify that they work as intended.