Crawl4AI: SSRF via proxy settings in the Docker server bypasses the crawl-URL SSRF check
Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.9, the Docker API server applied its SSRF destination check to the crawl target URL only, not to the proxy address. An unauthenticated request could supply a proxy pointing at an internal IP and route the browser through it, reaching internal services and cloud-metadata endpoints, while using a perfectly valid crawl URL. The Docker API is unauthenticated by default. /crawl, /crawl/stream, and /crawl/job accept a browser_config (and crawler_config). The following all feed Chromium's egress and were unchecked: browser_config.proxy_config.server, browser_config.proxy (deprecated field), crawler_config.proxy_config.server, and --proxy-server / --proxy-pac-url / --proxy-bypass-list / --host-resolver-rules flags in browser_config.extra_args. This vulnerability is fixed in 0.8.9.
Problem Types
| Type | CWE ID | Description |
|---|
| CWE | CWE-918 | CWE-918: Server-Side Request Forgery (SSRF) |
Type: CWE
Description: CWE-918: Server-Side Request Forgery (SSRF)
Metrics
| Version | Base score | Base severity | Vector |
|---|
| 3.1 | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
Version: 3.1
Base score: 8.6
Base severity: HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N