{"id":"PYSEC-2026-1908","summary":"Scrapy authorization header leakage on cross-domain redirect","details":"### Impact\n\nWhen you send a request with the `Authorization` header to one domain, and the response asks to redirect to a different domain, Scrapy’s built-in redirect middleware creates a follow-up redirect request that keeps the original `Authorization` header, leaking its content to that second domain.\n\nThe [right behavior](https://fetch.spec.whatwg.org/#ref-for-cors-non-wildcard-request-header-name) would be to drop the `Authorization` header instead, in this scenario.\n\n### Patches\n\nUpgrade to Scrapy 2.11.1.\n\nIf you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead.\n\n### Workarounds\n\nIf you cannot upgrade, make sure that you are not using the `Authentication` header, either directly or through some third-party plugin.\n\nIf you need to use that header in some requests, add `\"dont_redirect\": True` to the `request.meta` dictionary of those requests to disable following redirects for them.\n\nIf you need to keep (same domain) redirect support on those requests, make sure you trust the target website not to redirect your requests to a different domain.\n\n### Acknowledgements\n\nThis security issue was reported by @ranjit-git  [through huntr.com](https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9/).","aliases":["CVE-2024-3574","GHSA-cw9j-q3vf-hrrv"],"modified":"2026-07-07T17:47:52.911185651Z","published":"2026-07-07T11:45:32.587793Z","references":[{"type":"WEB","url":"https://github.com/scrapy/scrapy/security/advisories/GHSA-cw9j-q3vf-hrrv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3574"},{"type":"WEB","url":"https://github.com/scrapy/scrapy/commit/ee7bd9d217fc126063575d5649f00bdeeca2faae"},{"type":"PACKAGE","url":"https://github.com/scrapy/scrapy"},{"type":"WEB","url":"https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9"},{"type":"PACKAGE","url":"https://pypi.org/project/scrapy"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-cw9j-q3vf-hrrv"}],"affected":[{"package":{"name":"scrapy","ecosystem":"PyPI","purl":"pkg:pypi/scrapy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.8.4"},{"introduced":"2"},{"fixed":"2.11.1"}]}],"versions":["0.10.4.2364","0.12.0.2550","0.14.1","0.14.2","0.14.3","0.14.4","0.16.0","0.16.1","0.16.2","0.16.3","0.16.4","0.16.5","0.18.0","0.18.1","0.18.2","0.18.3","0.18.4","0.20.0","0.20.1","0.20.2","0.22.0","0.22.1","0.22.2","0.24.0","0.24.1","0.24.2","0.24.3","0.24.4","0.24.5","0.24.6","0.7","0.8","0.9","1.0.0","1.0.0rc1","1.0.0rc2","1.0.0rc3","1.0.1","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.1.0","1.1.0rc1","1.1.0rc2","1.1.0rc3","1.1.0rc4","1.1.1","1.1.2","1.1.3","1.1.4","1.2.0","1.2.1","1.2.2","1.2.3","1.3.0","1.3.1","1.3.2","1.3.3","1.4.0","1.5.0","1.5.1","1.5.2","1.6.0","1.7.0","1.7.1","1.7.2","1.7.3","1.7.4","1.8.0","1.8.1","1.8.2","1.8.3","2.0.0","2.0.1","2.1.0","2.10.0","2.10.1","2.11.0","2.2.0","2.2.1","2.3.0","2.4.0","2.4.1","2.5.0","2.5.1","2.6.0","2.6.1","2.6.2","2.6.3","2.7.0","2.7.1","2.8.0","2.9.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/scrapy/PYSEC-2026-1908.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}