CVE-2024-3574

Published: Apr 16, 2024Modified: Jul 28, 2025

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: security@huntr.dev (Secondary)

Description

In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across domains. The exposure of the Authorization header to unauthorized actors could potentially allow for account hijacking.

Affected (1)

Products: Scrapy: Scrapy

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Scrapy Scrapy	Before 2.11.1

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (4)

https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75

Source: security@huntr.dev

Patch

https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9

Source: security@huntr.dev

ExploitIssue TrackingPatchThird Party Advisory

https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingPatchThird Party Advisory

Timeline

No history available yet.