{"id":"CVE-2021-41125","details":"Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`.","aliases":["GHSA-jwqp-28gf-p498","PYSEC-2021-363"],"modified":"2026-04-09T08:15:11.499912Z","published":"2021-10-06T18:15:10.953Z","related":["GHSA-jwqp-28gf-p498","openSUSE-SU-2024:11558-1"],"references":[{"type":"ADVISORY","url":"http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth"},{"type":"ADVISORY","url":"https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/03/msg00021.html"},{"type":"ADVISORY","url":"https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header"},{"type":"FIX","url":"https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/scrapy/scrapy","events":[{"introduced":"0"},{"fixed":"283e90e466699725b5a28cbd85c47016cda95347"},{"introduced":"a4dbb7754b999c8c6a5239bb3f58e951369e017e"},{"fixed":"61130c8aad7adec056823edd6f85748ce17e54d6"},{"fixed":"b01d69a1bf48060daec8f751368622352d8b85a6"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.8.1"},{"introduced":"2.0.0"},{"fixed":"2.5.1"}]}}],"versions":["0.10","0.10-rc1","0.10.1","0.10.2","0.10.3","0.14.0","0.15.0","0.15.1","0.17.0","0.21.0","0.23.0","0.24.0","0.25.0","0.25.1","0.7","0.7-rc1","0.8","0.9","0.9-rc1","1.0.0rc1","1.2.0","1.2.0dev2","1.2.1","1.2.2","1.3.0","1.3.1","1.3.2","1.4.0","1.5.0","1.6.0","1.7.0","1.8.0","2.0.0","2.1.0","2.2.0","2.3.0","2.4.0","2.5.0","hojo","scrapy-0.25.1-sc"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41125.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}