{"uuid": "06b88bf3-5f50-4f22-b25a-aa42598b075c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-f989-c77f-r2cq", "type": "seen", "source": "https://gist.github.com/alon710/ea8299cfda138a4a029849fc1be10207", "content": "# GHSA-F989-C77F-R2CQ: GHSA-f989-c77f-r2cq: LLM Credential Exfiltration and SSRF in Crawl4AI Docker Server\n\n> **CVSS Score:** 8.2\n> **Published:** 2026-06-16\n> **Full Report:** https://cvereports.com/reports/GHSA-F989-C77F-R2CQ\n\n## Summary\nA technical evaluation of the Crawl4AI open-source web crawling and scraping library revealed a high-severity credential exfiltration vulnerability in its self-hosted Dockerized API server. The flaw arises from an unvalidated base_url parameter in request payloads and a dynamic prefix resolution mechanism that retrieves system environment variables. Unauthenticated remote attackers can leverage these features in tandem to extract host-level secrets or redirect configured LLM API keys to an external listener under their control.\n\n## TL;DR\nUnauthenticated remote attackers can exfiltrate LLM API keys and sensitive environment variables from Crawl4AI Docker servers by exploiting request-supplied base_url redirects and env-token resolution.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-200 / CWE-522 / CWE-918\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1**: 8.2 (High)\n- **Exploit Status**: Proof of Concept / Functional\n- **KEV Status**: Not Listed\n- **Primary Impact**: Exfiltration of LLM API credentials and host environment variables\n\n## Affected Systems\n\n- Crawl4AI self-hosted Docker API Server (deploy/docker/api.py)\n- Crawl4AI Python library (crawl4ai/async_configs.py)\n- **crawl4ai**: <= 0.8.7 (Fixed in: `0.8.8`)\n\n## Mitigation\n\n- Upgrade the Crawl4AI package and associated Docker containers to version 0.8.8 or later\n- Enable API Token Authentication on the Crawl4AI container using the CRAWL4AI_API_TOKEN environment variable\n- Implement network egress filtering to restrict the container's outbound connections to authorized domains\n- Minimize secret exposure by avoiding passing unnecessary environment variables to the container runtime environment\n\n**Remediation Steps:**\n1. Identify all running instances of Crawl4AI Docker containers in the environment\n2. Stop existing container instances running version 0.8.7 or lower\n3. Pull the updated Docker image using: docker pull unclecode/crawl4ai:0.8.8\n4. Upgrade local Python environments using: pip install -U crawl4ai\n5. Verify container startup logs to confirm execution of version 0.8.8 or later\n6. Audit environment variables associated with the container to ensure only necessary keys are passed\n\n## References\n\n- [Official GitHub Security Advisory](https://github.com/advisories/GHSA-F989-C77F-R2CQ)\n- [Repository Security Page Link](https://github.com/unclecode/crawl4ai/security/advisories/GHSA-F989-C77F-R2CQ)\n- [GitHub Version Comparison & Patches](https://github.com/unclecode/crawl4ai/compare/v0.8.7...v0.8.8)\n- [Raw Patch Diff Link](https://github.com/unclecode/crawl4ai/compare/v0.8.7...v0.8.8.patch)\n- [Repository Home Page](https://github.com/unclecode/crawl4ai)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-F989-C77F-R2CQ) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-16T21:11:18.000000Z"}