GHSA-R253-R9JW-QG44
Vulnerability from github – Published: 2026-06-18 17:25 – Updated: 2026-06-18 17:25Summary
The Docker API server accepted a request-supplied browser_config.extra_args, which flowed into Chromium's launch arguments. An attacker could inject Chromium switches that replace a child-process launch command (--utility-cmd-prefix, --renderer-cmd-prefix, --gpu-launcher, --browser-subprocess-path) together with --no-zygote, causing Chromium to fork/exec an attacker-controlled command as the container's runtime user. The Docker API is unauthenticated by default, so a single request yields arbitrary command execution.
The earlier extra_args SSRF patch (0.8.9) used a denylist scoped to proxy/DNS flags; a denylist of launch switches is inherently incomplete, and these command-execution switches were not covered.
Affected paths
/crawl, /crawl/stream, /crawl/job accepting a request browser_config.extra_args.
Impact
Unauthenticated remote code execution as the container runtime user; full read/write of application data, mounted secrets, environment, and tokens, and out-of-band exfiltration independent of the HTTP response.
Fix
0.9.0 establishes a trust boundary for request-supplied configuration: extra_args (along with other power fields such as proxy, user_data_dir, cdp_url, init_scripts) is a forbidden field for untrusted request bodies. Any request that sets extra_args is rejected with HTTP 400 rather than scrubbed against an always-incomplete denylist. In-process SDK callers (trusted) are unaffected.
Workarounds
- Upgrade to the patched version (0.9.0).
- Enable authentication (
CRAWL4AI_API_TOKEN) and restrict who can reach the API. - Run the container with a restrictive seccomp profile and no ability to exec helper binaries.
Credits
Y4tacker - reported the --no-zygote + --utility-cmd-prefix command-injection chain with a confirmed in-container PoC and an allowlist/reject recommendation.
UDU_RisePho (hoanggxyuuki) - independently reported the request-supplied Chromium launch-flag RCE class (--renderer-cmd-prefix), confirmed still reproducing on 0.8.9.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.9"
},
"package": {
"ecosystem": "PyPI",
"name": "crawl4ai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-88",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T17:25:34Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\n\nThe Docker API server accepted a request-supplied `browser_config.extra_args`, which flowed into Chromium\u0027s launch arguments. An attacker could inject Chromium switches that replace a child-process launch command (`--utility-cmd-prefix`, `--renderer-cmd-prefix`, `--gpu-launcher`, `--browser-subprocess-path`) together with `--no-zygote`, causing Chromium to fork/exec an attacker-controlled command as the container\u0027s runtime user. The Docker API is unauthenticated by default, so a single request yields arbitrary command execution.\n\nThe earlier `extra_args` SSRF patch (0.8.9) used a denylist scoped to proxy/DNS flags; a denylist of launch switches is inherently incomplete, and these command-execution switches were not covered.\n\n### Affected paths\n\n`/crawl`, `/crawl/stream`, `/crawl/job` accepting a request `browser_config.extra_args`.\n\n### Impact\n\nUnauthenticated remote code execution as the container runtime user; full read/write of application data, mounted secrets, environment, and tokens, and out-of-band exfiltration independent of the HTTP response.\n\n### Fix\n\n0.9.0 establishes a trust boundary for request-supplied configuration: `extra_args` (along with other power fields such as `proxy`, `user_data_dir`, `cdp_url`, `init_scripts`) is a forbidden field for untrusted request bodies. Any request that sets `extra_args` is rejected with HTTP 400 rather than scrubbed against an always-incomplete denylist. In-process SDK callers (trusted) are unaffected.\n\n### Workarounds\n\n- Upgrade to the patched version (0.9.0).\n- Enable authentication (`CRAWL4AI_API_TOKEN`) and restrict who can reach the API.\n- Run the container with a restrictive seccomp profile and no ability to exec helper binaries.\n\n### Credits\n\nY4tacker - reported the `--no-zygote` + `--utility-cmd-prefix` command-injection chain with a confirmed in-container PoC and an allowlist/reject recommendation.\nUDU_RisePho (hoanggxyuuki) - independently reported the request-supplied Chromium launch-flag RCE class (`--renderer-cmd-prefix`), confirmed still reproducing on 0.8.9.",
"id": "GHSA-r253-r9jw-qg44",
"modified": "2026-06-18T17:25:34Z",
"published": "2026-06-18T17:25:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/unclecode/crawl4ai/security/advisories/GHSA-r253-r9jw-qg44"
},
{
"type": "PACKAGE",
"url": "https://github.com/unclecode/crawl4ai"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Crawl4AI: Unauthenticated RCE via Chromium launch-argument injection in browser_config.extra_args"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.