Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
Overview
- Vulnerability type: Blind SSRF
- Affected components:
src/crawlee/_utils/sitemap.py,src/crawlee/_utils/robots.py,src/crawlee/request_loaders/_sitemap_request_loader.py, and all built-in HTTP clients. - Trigger: an attacker-controlled sitemap or
robots.txtcontaining a URL that points to an internal host (layer 1) or uses a non-http scheme (layer 2).
Two-layer SSRF via sitemap-derived URLs:
1) Cross-host HTTP SSRF
Base case, affects every HTTP client.** Sitemap entries and robots.txt Sitemap: directives were accepted regardless of the host they pointed to. A sitemap on example.com could push http://internal.corp/admin into the crawler's queue, and the configured HTTP client would dispatch the request.
2) Non-HTTP scheme SSRF
Escalation, only CurlImpersonateHttpClient.** Nested-sitemap fetching dispatches the URL straight to the HTTP client, bypassing the Request construction step where Pydantic enforces http(s). Combined with the libcurl-backed CurlImpersonateHttpClient, this lets gopher://, file://, dict://, ftp://, etc., through.
Root cause
Crawlee already validates URL schemes through Pydantic's AnyHttpUrl (via validate_http_url in src/crawlee/_utils/urls.py) wherever a crawl target is materialised as a Request: the Request.url field is declared as Annotated[str, BeforeValidator(validate_http_url), Field(frozen=True)]. Anything that becomes a Request is therefore guaranteed to be http(s).
Two parts of the sitemap pipeline sidestepped this property in different ways:
1) Sitemap-derived URLs were enqueued without any host policy
SitemapRequestLoader took every <urlset><url><loc> entry, wrapped it in Request.from_url (which accepts any valid http(s) URL), and pushed the result into the request queue. RobotsTxtFile.get_sitemaps() returned every Sitemap: directive verbatim. Neither imposed any host check against the parent sitemap or robots.txt URL, so an attacker controlling that content could push internal-network HTTP URLs into the queue and have them crawled by whichever HTTP client was configured.
2) Nested sitemap fetching bypassed the Request chokepoint entirely
When _XmlSitemapParser encountered <sitemapindex><sitemap><loc>…</loc></sitemap></sitemapindex>, or when RobotsTxtFile.parse_sitemaps forwarded Sitemap: directives into the same pipeline, _fetch_and_process_sitemap dispatched the URL directly to the HTTP client:
async with http_client.stream(
sitemap_url,
method='GET',
headers=SITEMAP_HEADERS,
proxy_info=proxy_info,
timeout=timeout,
) as response:
...No Request was constructed, so the Pydantic validator never ran. Before the fix, the HTTP clients' own send_request() and stream() methods did not call validate_http_url either, so a non-http(s) scheme could pass straight through to the backend client.
The non-HTTP escalation in layer 2 is specific to CurlImpersonateHttpClient, which is backed by curl-cffi / libcurl and speaks gopher, file, dict, ftp, and other non-HTTP protocols. The other clients shipped with Crawlee (HttpxHttpClient, ImpitHttpClient, PlaywrightHttpClient) reject non-http(s) schemes at their own backend layer, regardless of what Crawlee passes in, so they were only affected by layer 1.
Vulnerable paths
Layer 1 - cross-host HTTP (all HTTP clients)
- *Source:* an attacker-controlled sitemap that lists internal URLs under
<urlset><url><loc>or<sitemapindex><sitemap><loc>, or an attacker-controlledrobots.txtthat lists internal URLs underSitemap:. - *Sink:* the configured HTTP client issues
GETrequests against those URLs - either viaclient.request(url=request.url, …)insidecrawl()for regular sitemap URLs, or viaclient.stream(url, …)inside the nested-sitemap fetch.
Layer 2 - non-HTTP schemes (CurlImpersonateHttpClient only)
- *Source:* a nested
<sitemap><loc>entry or arobots.txtSitemap:directive pointing to a non-http(s)URL. - *Sink:*
CurlImpersonateHttpClient.stream(...)hands the URL string verbatim toclient.request(url=…, …), which dispatches via libcurl.
Hardening in 1.7.0 was added at both producer and consumer ends - see *Remediation*.
Exploitation preconditions
- The crawler uses sitemap loading: any of
SitemapRequestLoader,Sitemap.load/parse_sitemap,discover_valid_sitemaps, orRobotsTxtFile.parse_sitemaps. - The attacker controls the body of a sitemap or
robots.txtthat the crawler fetches - typically by being the target site, or by getting a target site to publish a malicious sitemap. - The crawler's network egress can reach the attacker-chosen destination (e.g., internal services on the same network).
- The targeted endpoint accepts unauthenticated requests. Crawlee does not supply credentials to the forged destination, so authenticated services (IMDSv2 with token, password-protected Redis, protected admin panels) are not reachable through this path.
For layer 2 (non-HTTP), the configured HTTP client must additionally be CurlImpersonateHttpClient.
Impact
Layer 1 - cross-host HTTP (any client)
The crawler can be coerced into issuing GET requests against internal HTTP services on its own network: admin panels, unauthenticated internal APIs, cloud metadata endpoints, etc. Read-back is blind - Crawlee surfaces fetched content only through its local Dataset / KeyValueStore (push_data() etc.) and does not natively forward scraped bodies anywhere external - so direct impact is mostly existence/timing probing and occasional state changes via side-effecting GET endpoints. Read-side leakage of internal content is only exploitable end-to-end if the deployer's own application separately exposes scraped data (for example, a public summariser or aggregator built on top of Crawlee).
Layer 2 - non-HTTP escalation (only CurlImpersonateHttpClient)
Under the affected client, attackers gain the libcurl scheme set:
gopher://is the canonical RESP-injection vector: pipelineFLUSHALL,CONFIG SET dir,CONFIG SET dbfilename,SAVEto an unauthenticated Redis on the crawler's network - enough to write attacker-controlled bytes to disk and, in the standard escalation, achieve remote code execution on the Redis host.file://allows the crawler to read local files (application secrets, configuration) on the crawler host.dict://andftp://permit fingerprinting and limited interaction with text-protocol services.
In both layers, the SSRF is blind in the default configuration. Write-side impact (gopher:// → Redis) and timing-based internal probing do not depend on read-back and remain viable regardless of whether the deployer surfaces scraped content.
Remediation
Both layers are fixed in crawlee==1.7.0. The fix is split across two PRs, applied at the two complementary boundaries of the affected pipeline:
- Producer-side filtering - sitemap and robots.txt loaders (PR #1864).
SitemapRequestLoaderandRobotsTxtFile.get_sitemaps()now run every nested-sitemap entry, every regular sitemap URL, and everySitemap:directive throughcrawlee._utils.urls.filter_url. This applies to anEnqueueStrategy(default'same-hostname') against the parent sitemap /robots.txtURL - cross-host entries are dropped - and rejects non-http(s)schemes. The strategy is stamped onto the emittedRequests, soBasicCrawler._check_url_after_redirectscontinues policing the policy across redirects. - Consumer-side validation - HTTP-client boundary (PR #1862).
validate_http_url(url)is now called at the top ofsend_request()andstream()inImpitHttpClient,HttpxHttpClient,CurlImpersonateHttpClient, andPlaywrightHttpClient. Non-http(s)schemes raisepydantic.ValidationErrorbefore any backend call.crawl()was already covered, becauseRequest.urlis validated by Pydantic on construction.
After these changes, validation is enforced both where sitemap-derived HTTP requests are produced (sitemap and robots.txt loaders) and where they are consumed (HTTP clients). A regression at either layer is caught by the other.
Behaviour change for upgraders
SitemapRequestLoader and RobotsTxtFile.get_sitemaps() now default to enqueue_strategy='same-hostname'. Deployers that legitimately relied on cross-host sitemap entries (e.g., a sitemap index on sitemaps.example.com that points to content on www.example.com) must opt in explicitly with enqueue_strategy='same-domain' or enqueue_strategy='all'.
Finder credits
- @r0otsu
- @Yuremin (Zhengmin Yu)
- @FORIMOC
- @invoke1442 (Ethan Carter)
- @Arturo0x90 (Arturo Melgarejo)
AnalysisAI
Two-layer blind SSRF in Crawlee for Python (pip/crawlee >= 1.0.0, < 1.7.0) allows an attacker who controls a sitemap or robots.txt file to force the crawler to issue HTTP requests against internal network services (layer 1, all HTTP clients), and - when CurlImpersonateHttpClient is configured - to dispatch non-HTTP scheme requests including gopher://, file://, dict://, and ftp:// (layer 2). The layer 2 escalation enables canonical Redis exploitation via gopher://, making RCE on unauthenticated internal Redis instances achievable from a public-facing crawler. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, but the researcher-credited advisory details a fully articulated attack path including Redis RCE.
Technical ContextAI
The affected package is pkg:pip/crawlee, the Python web-crawling framework by Apify. The root cause (CWE-918: Server-Side Request Forgery) exists in the sitemap pipeline: src/crawlee/_utils/sitemap.py, src/crawlee/_utils/robots.py, and src/crawlee/request_loaders/_sitemap_request_loader.py. Crawlee uses Pydantic's AnyHttpUrl via a BeforeValidator on the Request.url field to enforce http(s) schemes wherever crawl targets are materialized as Request objects. However, two code paths bypassed this chokepoint. First, SitemapRequestLoader and RobotsTxtFile.get_sitemaps() accepted sitemap entries without any host-affinity policy, allowing cross-host HTTP URLs to enter the queue. Second, the nested-sitemap fetch path (_fetch_and_process_sitemap) dispatched URLs directly to http_client.stream() without ever constructing a Request object, so the Pydantic validator never ran. The libcurl-backed CurlImpersonateHttpClient (curl-cffi) natively supports gopher, file, dict, and ftp schemes at the backend level, whereas HttpxHttpClient, ImpitHttpClient, and PlaywrightHttpClient reject non-http(s) schemes at their own backend layers regardless of what Crawlee passes. The fix in 1.7.0 applies defense-in-depth: producer-side host filtering via EnqueueStrategy (default same-hostname) in PR #1864, and consumer-side validate_http_url calls at the top of send_request() and stream() across all four HTTP clients in PR #1862.
RemediationAI
The primary fix is to upgrade to crawlee==1.7.0, which contains both remediation PRs. PR #1864 adds producer-side host-affinity filtering: SitemapRequestLoader and RobotsTxtFile.get_sitemaps() now apply an EnqueueStrategy (default same-hostname) against the parent sitemap or robots.txt URL, dropping cross-host entries and rejecting non-http(s) schemes before URLs enter the queue. PR #1862 adds consumer-side validation: validate_http_url() is now called at the entry of send_request() and stream() in all four HTTP clients, raising pydantic.ValidationError on non-http(s) schemes before any backend call. Deployers who legitimately use cross-host sitemap indexes (e.g., a sitemap index on sitemaps.example.com pointing to www.example.com) must explicitly set enqueue_strategy='same-domain' or enqueue_strategy='all' after upgrading, as the new default same-hostname will silently drop such entries - this is a behavior-breaking change that requires audit before deployment. If immediate upgrade is not possible, a compensating control for layer 2 specifically is to avoid configuring CurlImpersonateHttpClient and use HttpxHttpClient or ImpitHttpClient instead, which reject non-http(s) schemes at their backends; this does not mitigate layer 1. For layer 1, restricting crawler network egress via firewall rules to block access to RFC 1918 address space and cloud metadata endpoints (e.g., 169.254.169.254) reduces but does not eliminate blast radius. Advisory: https://github.com/apify/crawlee-python/security/advisories/GHSA-3r75-xc34-5f44.
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i
UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific
Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user
Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.
A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab
An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability
An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4
goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36067
GHSA-3r75-xc34-5f44