CVE-2024-3574 — Sensitive Information Exposure in Scrapy

CWE-200 — Sensitive Information Exposure7 documents5 sources

Severity

7.5HIGHNVD

OSV6.5

EPSS

0.1%

top 68.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Scrapy Scrapy Scrapy Debian Python-scrapy

Timeline

PublishedApr 16

Latest updateMay 5

Description

In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across domains. The exposure of the Authorization header to unauthorized actors could potentially allow for account hijacking.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDscrapy/scrapy< 2.11.1

▶PyPIscrapy/scrapy2 — 2.11.1+1

▶CVEListV5scrapy/scrapy_scrapyunspecified — 2.11.1

▶debiandebian/python-scrapy< python-scrapy 2.11.1-1 (forky)

Patches

Patch: github.com ↗Patch: huntr.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

python-scrapy vulnerabilities↗2025-05-05

▶

OSV

CVE-2024-3574: In scrapy version 2↗2024-04-16

▶

GHSA

Scrapy authorization header leakage on cross-domain redirect↗2024-02-15

▶

OSV

Scrapy authorization header leakage on cross-domain redirect↗2024-02-15

▶

📋Vendor Advisories

Ubuntu

Scrapy vulnerabilities↗2025-05-05

▶

Debian

CVE-2024-3574: python-scrapy - In scrapy version 2.10.1, an issue was identified where the Authorization header...↗2024

▶