CVE-2024-3574

CVE Database · CVE-2024-3574

CVE-2024-3574

· N/AAnalyzed

CVSS v3.1

N/A

EPSS

0.64%

Published

Apr 15, 2024

Modified

Jul 28, 2025

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across domains. The exposure of the Authorization header to unauthorized actors could potentially allow for account hijacking.

Weaknesses (CWE)

CWE-200

Affected Products (1)

scrapy · scrapy (up to 2.11.1)vulnerable

References (4)

https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75

Patch

https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9

ExploitIssue TrackingPatch

https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75

Patch

https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9

ExploitIssue TrackingPatch

KEV Catalog EPSS Scores Vendors All CVEs