CVE-2024-1968

CVE Database · CVE-2024-1968

CVE-2024-1968

· N/AAnalyzed

CVSS v3.1

N/A

EPSS

0.68%

Published

May 20, 2024

Modified

Jul 15, 2025

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme (e.g., HTTPS to HTTP) but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in cross-origin requests when the scheme, host, or port changes. Consequently, when a redirect downgrades from HTTPS to HTTP, the Authorization header may be inadvertently exposed in plaintext, leading to potential sensitive information disclosure to unauthorized actors. The flaw is located in the _build_redirect_request function of the redirect middleware.

Weaknesses (CWE)

CWE-200

Affected Products (2)

scrapy · scrapyvulnerable

scrapy · scrapy (up to 2.11.2)vulnerable

References (4)

https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8

Patch

https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a

ExploitThird Party Advisory

https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8

Patch

https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a

ExploitThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs