GHSA-4qqq-9vqf-3h3f · Severity: medium · Ecosystem: pip — Scrapy leaks the authorization header on same-domain but cross-origin redirects
In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme (e.g., HTTPS to HTTP) but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in cross-origin requests when the scheme, host, or port changes. Consequently, when a redirect downgrades from HTTPS to HTTP, the Authorization header may be inadvertently exposed in plaintext, leading to potential sensitive information disclosure to unauthorized actors. The flaw is located in the _build_redirect_request function of the redirect middleware.
Conclusion & alert: CVE-2024-1968 is rated High Exploit Risk (62.1/100): CVSS High severity, with low exploitation likelihood (EPSS 0.68%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.19% | 0.68% | +0.49% |
| 2 | 2025-11-21 | 0.28% | 0.19% | -0.09% |
| 3 | 2025-11-18 | — | 0.28% | — |
Full EPSS history (13 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.0 | HIGH |
|
3.9 | 3.6 | [email protected] |
GHSA-4qqq-9vqf-3h3f · Severity: medium · Ecosystem: pip — Scrapy leaks the authorization header on same-domain but cross-origin redirects
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2024-1968 not yet assigned priority: Debian including 1 source packages (python-scrapy), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 3, open 2. | https://security-tracker.debian.org/tracker/CVE-2024-1968 |
suse
|
medium | CVE-2024-1968 severity moderate: SUSE including 4 source package names (python-Scrapy-doc-2.11.2-1.1, python310-Scrapy-2.11.2-1.1, python311-Scrapy-2.11.2-1.1, python312-Scrapy-2.11.2-1.1), 4 product×package rows across 1 product lines (openSUSE Tumbleweed): Fixed 4. | https://www.suse.com/security/cve/CVE-2024-1968/ |
ubuntu
|
medium | CVE-2024-1968 medium priority: Ubuntu including 1 source packages (python-scrapy), 10 status rows across 10 suites (bionic, focal, jammy, mantic, noble, oracular, plucky, questing, upstream, xenial): released 5, not-affected 3, ignored 2. | https://ubuntu.com/security/CVE-2024-1968 |
| URL | Tags |
|---|---|
| https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8 | Patch |
| https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a | Exploit Third Party Advisory |