{"id":"CVE-2021-41124","details":"Scrapy-splash is a library which provides Scrapy and JavaScript integration. In affected versions users who use [`HttpAuthMiddleware`](http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth) (i.e. the `http_user` and `http_pass` spider attributes) for Splash authentication will have any non-Splash request expose your credentials to the request target. This includes `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`. Upgrade to scrapy-splash 0.8.0 and use the new `SPLASH_USER` and `SPLASH_PASS` settings instead to set your Splash authentication credentials safely. If you cannot upgrade, set your Splash request credentials on a per-request basis, [using the `splash_headers` request parameter](https://github.com/scrapy-plugins/scrapy-splash/tree/0.8.x#http-basic-auth), instead of defining them globally using the [`HttpAuthMiddleware`](http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth). Alternatively, make sure all your requests go through Splash. That includes disabling the [robots.txt middleware](https://docs.scrapy.org/en/latest/topics/downloader-middleware.html#topics-dlmw-robots).","aliases":["GHSA-823f-cwm9-4g74","PYSEC-2021-364"],"modified":"2026-03-13T22:15:51.600686Z","published":"2021-10-05T21:15:09.590Z","related":["GHSA-823f-cwm9-4g74"],"references":[{"type":"ADVISORY","url":"https://github.com/scrapy-plugins/scrapy-splash/security/advisories/GHSA-823f-cwm9-4g74"},{"type":"FIX","url":"https://github.com/scrapy-plugins/scrapy-splash/commit/2b253e57fe64ec575079c8cdc99fe2013502ea31"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/scrapy-plugins/scrapy-splash","events":[{"introduced":"0"},{"fixed":"b42e1913e6ef6f7afdbf77aac0b329430c1805d8"},{"fixed":"2b253e57fe64ec575079c8cdc99fe2013502ea31"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.8.0"}]}}],"versions":["0.1","0.1.1","0.2","0.3","0.4","0.5","0.6","0.6.1","0.7","0.7.1","0.7.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41124.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}