Skip to main content

Firecrawl CVE-2026-32857

| EUVDEUVD-2026-16275 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-26 VulnCheck GHSA-9j9r-wghq-j565
7.8
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 17:45 euvd
EUVD-2026-16275
Analysis Generated
Mar 26, 2026 - 17:45 vuln.today
CVE Published
Mar 26, 2026 - 17:29 nvd
HIGH 7.8

DescriptionCVE.org

Firecrawl version 2.8.0 and prior contain a server-side request forgery (SSRF) protection bypass vulnerability in the Playwright scraping service where network policy validation is applied only to the initial user-supplied URL and not to subsequent redirect destinations. Attackers can supply an externally valid URL that passes validation and returns an HTTP redirect to an internal or restricted resource, allowing the browser to follow the redirect and fetch the final destination without revalidation, thereby gaining access to internal network services and sensitive endpoints. This issue is distinct from CVE-2024-56800, which describes redirect-based SSRF generally. This vulnerability specifically arises from a post-redirect enforcement gap in implemented SSRF protections, where validation is applied only to the initial request and not to the final redirected destination.

AnalysisAI

Firecrawl's Playwright scraping service through version 2.8.0 permits attackers to bypass SSRF protections and access internal network resources by exploiting a validation gap in redirect handling. Unauthenticated remote attackers can supply externally valid URLs that redirect to restricted internal endpoints, as network policy checks apply only to the initial request and not subsequent redirect destinations. With a CVSS score of 7.8 and high subsequent system confidentiality impact (SC:H), this represents a distinct post-redirect enforcement weakness separate from general redirect-based SSRF (CVE-2024-56800), though no public exploit is identified at time of analysis.

Technical ContextAI

Firecrawl is a web scraping and crawling service that leverages Playwright for browser-based content extraction. The affected product (cpe:2.3:a:firecrawl:firecrawl) implements SSRF protections to prevent access to internal network resources, but these controls suffer from CWE-918 (Server-Side Request Forgery) due to incomplete validation logic. Specifically, the Playwright scraping service validates user-supplied URLs against network policies at the initial request stage, but fails to revalidate the final destination URL after HTTP redirects occur. This architectural flaw allows attackers to exploit the redirect chain mechanism common in HTTP/1.1 and HTTP/2 protocols, where browsers automatically follow 3xx status codes to new locations. The vulnerability resides in the enforcement layer rather than the validation logic itself, creating a time-of-check to time-of-use (TOCTOU) gap in security controls.

RemediationAI

Organizations should monitor the Firecrawl GitHub security advisory at https://github.com/firecrawl/firecrawl/security/advisories/GHSA-vjp8-2wgg-p734 for vendor-released patch information and upgrade guidance, as specific fixed version details are not provided in current intelligence sources. Until a confirmed patched version is available and deployed, implement network-level compensating controls including restricting Firecrawl's outbound network access to only required external domains via egress filtering, blocking access to RFC 1918 private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local addresses (169.254.0.0/16), and localhost (127.0.0.0/8). Deploy Firecrawl in isolated network segments with no access to sensitive internal services, and configure HTTP proxy settings to enforce redirect validation policies at the network perimeter. Review the VulnCheck advisory at https://www.vulncheck.com/advisories/firecrawl-playwright-service-ssrf-protection-bypass-via-missing-post-redirect-validation for additional technical mitigation strategies specific to Playwright-based scraping configurations.

Share

CVE-2026-32857 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy