PYSEC-2026-588
Vulnerability from pysec - Published: 2026-06-23 19:17 - Updated: 2026-06-30 23:09Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.9, the Docker API server applied its SSRF destination check to the crawl target URL only, not to the proxy address. An unauthenticated request could supply a proxy pointing at an internal IP and route the browser through it, reaching internal services and cloud-metadata endpoints, while using a perfectly valid crawl URL. The Docker API is unauthenticated by default. /crawl, /crawl/stream, and /crawl/job accept a browser_config (and crawler_config). The following all feed Chromium's egress and were unchecked: browser_config.proxy_config.server, browser_config.proxy (deprecated field), crawler_config.proxy_config.server, and --proxy-server / --proxy-pac-url / --proxy-bypass-list / --host-resolver-rules flags in browser_config.extra_args. This vulnerability is fixed in 0.8.9.
| Name | purl | crawl4ai | pkg:pypi/crawl4ai |
|---|
{
"affected": [
{
"ecosystem_specific": {},
"package": {
"ecosystem": "PyPI",
"name": "crawl4ai",
"purl": "pkg:pypi/crawl4ai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.9"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.3.0",
"0.3.1",
"0.3.2",
"0.3.3",
"0.3.4",
"0.3.5",
"0.3.6",
"0.3.7",
"0.3.71",
"0.3.72",
"0.3.73",
"0.3.731",
"0.3.74",
"0.3.741",
"0.3.742",
"0.3.743",
"0.3.744",
"0.3.745",
"0.3.746",
"0.3.8",
"0.4.0",
"0.4.1",
"0.4.21",
"0.4.22",
"0.4.23",
"0.4.24",
"0.4.241",
"0.4.242",
"0.4.243",
"0.4.244",
"0.4.245",
"0.4.246",
"0.4.247",
"0.4.248",
"0.4.248b3",
"0.4.3b1",
"0.4.3b2",
"0.4.3b3",
"0.5.0",
"0.5.0.post1",
"0.5.0.post2",
"0.5.0.post3",
"0.5.0.post4",
"0.5.0.post5",
"0.5.0.post6",
"0.5.0.post7",
"0.5.0.post8",
"0.6.0",
"0.6.0rc1",
"0.6.1",
"0.6.2",
"0.6.3",
"0.7.0",
"0.7.1",
"0.7.2",
"0.7.3",
"0.7.4",
"0.7.5",
"0.7.6",
"0.7.7",
"0.7.8",
"0.8.0",
"0.8.5",
"0.8.6",
"0.8.7",
"0.8.8"
]
}
],
"aliases": [
"CVE-2026-53755",
"GHSA-6qhc-x826-342c"
],
"details": "Crawl4AI is an open-source LLM friendly web crawler \u0026 scraper. Prior to 0.8.9, the Docker API server applied its SSRF destination check to the crawl target URL only, not to the proxy address. An unauthenticated request could supply a proxy pointing at an internal IP and route the browser through it, reaching internal services and cloud-metadata endpoints, while using a perfectly valid crawl URL. The Docker API is unauthenticated by default. /crawl, /crawl/stream, and /crawl/job accept a browser_config (and crawler_config). The following all feed Chromium\u0027s egress and were unchecked: browser_config.proxy_config.server, browser_config.proxy (deprecated field), crawler_config.proxy_config.server, and --proxy-server / --proxy-pac-url / --proxy-bypass-list / --host-resolver-rules flags in browser_config.extra_args. This vulnerability is fixed in 0.8.9.",
"id": "PYSEC-2026-588",
"modified": "2026-06-30T23:09:25.091393Z",
"published": "2026-06-23T19:17:07.477Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/unclecode/crawl4ai/security/advisories/GHSA-6qhc-x826-342c"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.