CVE-2021-41125: Scrapy HTTP authentication credentials potentially leaked to target websites
5.7
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.61032%
CWE
Published
10/6/2021
Updated
10/26/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Scrapy | pip | < 1.8.1 | 1.8.1 |
Scrapy | pip | >= 2.0.0, < 2.5.1 | 2.5.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from HttpAuthMiddleware's unconditional credential handling. The pre-patch code in httpauth.py's process_request method added Basic Auth headers to every request (if http_user/http_pass were set), regardless of target domain. The commit b01d69a introduced domain validation checks (urlparse_cached + url_is_from_any_domain) to restrict credential exposure. The vulnerable function is clearly the process_request implementation that lacked these domain checks, leading to credential leakage across domains.