Name of the Vulnerable Software and Affected Versions Scrapy versions prior to 2.11.2

Description The issue arises when using system proxy settings that are scheme-specific, i.e., specific to http:// or https:// URLs. During redirects, Scrapy fails to account for scheme changes, resulting in the continued use of the original proxy configuration instead of switching to the appropriate one for the new scheme. This poses a security risk if different proxy configurations are used for HTTP and HTTPS for security reasons, such as preventing one proxy provider from being aware of the URLs visited with the other.

Recommendations Upgrade to Scrapy 2.11.2. As a temporary workaround, consider replacing the built-in retry middlewares (RedirectMiddleware and MetaRefreshMiddleware) and the HttpProxyMiddleware middleware with custom ones that implement the fix from Scrapy 2.11.2, and verify that they work as intended.