scrapy is vulnerable to Open Redirect. The vulnerability is due to indiscriminate handling of redirects across different URL schemes, which can result in redirecting requests to potentially malicious destinations, such as local files, malicious FTP servers, or S3 buckets. If an attacker has access to the spider output, or the scraped data, they can then read the files.