CVE-2021-41125Sensitive Information Exposure in Scrapy

CWE-200Sensitive Information ExposureCWE-522Insufficiently Protected Credentials7 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 51.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
ScrapyDebian Python-scrapyDebian Linux
Timeline
PublishedOct 6
Latest updateMay 5

Description

Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domai

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

debiandebian/python-scrapy< python-scrapy 2.5.1-1 (bookworm)
NVDscrapy/scrapy2.0.02.5.1+1
PyPIscrapy/scrapy2.0.02.5.1+1
CVEListV5scrapy/scrapy>= 2.0.0, < 2.5.1

Also affects: Debian Linux 9.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
python-scrapy vulnerabilities2025-05-05
OSV
Scrapy HTTP authentication credentials potentially leaked to target websites2021-10-06
GHSA
Scrapy HTTP authentication credentials potentially leaked to target websites2021-10-06
OSV
CVE-2021-41125: Scrapy is a high-level web crawling and scraping framework for Python2021-10-06

📋Vendor Advisories

2
Ubuntu
Scrapy vulnerabilities2025-05-05
Debian
CVE-2021-41125: python-scrapy - Scrapy is a high-level web crawling and scraping framework for Python. If you us...2021