unclecode/crawl4ai
1
0
Fork 0
mirror of https://github.com/unclecode/crawl4ai.git synced 2026-06-10 07:48:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
develop
crawl4ai/SECURITY-CREDITS.md
unclecode cdf2ead7ed security: patch proxy SSRF in Docker server (0.8.9) 
0.8.8's SSRF check validated the crawl target URL but not the proxy address, so
an unauthenticated /crawl, /crawl/stream, or /crawl/job could route the browser
through a proxy pointing at an internal IP and reach internal services / cloud
metadata. Reported by Geo (geo-chen).

Fix (backward compatible): validate every proxy destination with the same
not-is_global check used for crawl URLs, before the browser is built -
browser_config.proxy, browser_config.proxy_config.server,
crawler_config.proxy_config.server - and strip proxy/DNS-redirecting flags
(--proxy-server / --proxy-pac-url / --proxy-bypass-list / --host-resolver-rules)
from extra_args. A legitimate public proxy still works; configure proxies via
proxy_config (validated), not raw extra_args flags. _enforce_proxy_safety is
called in both crawl handlers (and covers /crawl/job transitively); HTTPException
passthrough added so the 400 is not masked as a 500.

Bump 0.8.8 -> 0.8.9 (__version__ + Dockerfile). 20 new tests; full security
suite 161 pass. Changelog, release blog, README, SECURITY-CREDITS updated.

This vector was already fixed in the upcoming secure-by-default release; 0.8.9
brings it forward because it is an unauthenticated SSRF.
2026-06-04 06:17:41 +00:00

1.4 KiB
Raw Permalink Blame History

Security Credits

We thank the following security researchers for their responsible disclosure:

Researcher Contact Vulnerability Date Reported
Song Binglin (q1uf3ng) q1uf3ng@proton.me AST sandbox escape via gi_frame.f_back chain (CVSS 9.8) 2026-03-29
Jeongbean Jeon wjswjdqls7@gmail.com File write, SSRF, monitor auth bypass, stored XSS 2026-04-13
wulonchia wulonchia@gmail.com File write via output_path (independent report) 2026-04-13
by111 (August829) GitHub: August829 Hardcoded JWT secret, eval in /config/dump, /execute_js, hook sandbox escape 2026-04-14
secsys_codex (FORIMOC) secsys_codex@163.com SSRF via /md, /crawl, /llm endpoints (URL destination validation) 2026-04-18
Velayutham Selvaraj LinkedIn SSRF via missing host validation in validate_url_scheme (independent report) 2026-05-06
IcySun & Yashon icysun@qq.com, liyaoyin@qq.com SSRF, file write via output_path, missing auth by default, hook sandbox bypass via asyncio (independent report) 2026-05-15
Geo (geo-chen) cve@sageby.com LLM API key exfiltration via unvalidated base_url (0.8.8) 2026-06-02
Geo (geo-chen) cve@sageby.com SSRF via proxy_config.server bypassing the SSRF check (0.8.9) 2026-06-04
Reference in New Issue View Git Blame Copy Permalink