unclecode/crawl4ai
1
0
Fork 0
mirror of https://github.com/unclecode/crawl4ai.git synced 2026-06-10 15:58:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
develop
crawl4ai/docs/blog/release-v0.8.9.md
unclecode cdf2ead7ed security: patch proxy SSRF in Docker server (0.8.9) 
0.8.8's SSRF check validated the crawl target URL but not the proxy address, so
an unauthenticated /crawl, /crawl/stream, or /crawl/job could route the browser
through a proxy pointing at an internal IP and reach internal services / cloud
metadata. Reported by Geo (geo-chen).

Fix (backward compatible): validate every proxy destination with the same
not-is_global check used for crawl URLs, before the browser is built -
browser_config.proxy, browser_config.proxy_config.server,
crawler_config.proxy_config.server - and strip proxy/DNS-redirecting flags
(--proxy-server / --proxy-pac-url / --proxy-bypass-list / --host-resolver-rules)
from extra_args. A legitimate public proxy still works; configure proxies via
proxy_config (validated), not raw extra_args flags. _enforce_proxy_safety is
called in both crawl handlers (and covers /crawl/job transitively); HTTPException
passthrough added so the 400 is not masked as a 500.

Bump 0.8.8 -> 0.8.9 (__version__ + Dockerfile). 20 new tests; full security
suite 161 pass. Changelog, release blog, README, SECURITY-CREDITS updated.

This vector was already fixed in the upcoming secure-by-default release; 0.8.9
brings it forward because it is an unauthenticated SSRF.
2026-06-04 06:17:41 +00:00

1.9 KiB
Raw Permalink Blame History

Crawl4AI v0.8.9: Proxy SSRF Patch

June 2026 - 2 min read

I'm releasing Crawl4AI v0.8.9, a follow-up security patch for the self-hosted Docker API server. It closes a server-side request forgery path that v0.8.8 did not cover. It is backward compatible: upgrade in place, no configuration changes required.

If you run the Docker server, please upgrade. If it is exposed to a network, also set CRAWL4AI_API_TOKEN. A security advisory accompanies this release.

What it fixes

The SSRF destination check validated the crawl target URL, but not the proxy address. An unauthenticated /crawl, /crawl/stream, or /crawl/job request could point a proxy at an internal IP and route the browser through it, reaching internal services and cloud-metadata endpoints, even with a perfectly valid crawl URL.

v0.8.9 validates every proxy destination with the same global-routability check before the browser is built:

  • browser_config.proxy_config.server
  • browser_config.proxy (deprecated field)
  • crawler_config.proxy_config.server
  • proxy / DNS-redirecting flags in extra_args (--proxy-server, --host-resolver-rules, --proxy-bypass-list, --proxy-pac-url) are stripped

A legitimate public proxy still works. The only behavior change: set proxies through proxy_config (which is validated) rather than raw extra_args flags.

Upgrade

pip install -U crawl4ai
docker pull unclecode/crawl4ai:0.8.9

Still coming: a secure-by-default Docker server (~1-2 weeks)

The next release remains a larger, secure-by-default update for the Docker API server, with intentional breaking changes (authentication on by default, stricter request validation, safer deployment defaults). A full migration guide will accompany the pre-announcement on Discord and X. This proxy fix is already part of that release; 0.8.9 simply brings it forward because it is an unauthenticated SSRF.

Thanks to Geo for the responsible disclosure.

Live long and import crawl4ai

Reference in New Issue View Git Blame Copy Permalink