Crawl4AI CVE-2026-53754
HIGH
GHSA-4qqr-vv2q-cmr5
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Network-reachable unauthenticated Docker API (PR:N, AV:N, AC:L); SSRF to IMDS yields high confidentiality via credential theft, but no direct write or DoS, so I:N and A:N.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The Docker API server's SSRF protection (validate_webhook_url / validate_url_destination in deploy/docker/utils.py) used an explicit IPv4/IPv6 CIDR blocklist that missed several address families. An attacker could reach internal services and cloud metadata endpoints (e.g. 169.254.169.254) despite the filter by encoding an internal IPv4 address inside an IPv6 transition form, or by using the IPv6 unspecified address.
Because the Docker API is unauthenticated by default (jwt_enabled: false), no credentials are required.
Affected paths
The blocklist was applied to crawl URLs (POST /crawl, /md, /html, /screenshot, /pdf, /execute_js) and webhook URLs (/crawl/job, /llm/job). All shared the same incomplete check.
Bypasses
The following all resolve to (or route to) blocked internal addresses but were NOT caught:
- IPv6 unspecified
:: - NAT64
64:ff9b::a9fe:a9fe(embeds169.254.169.254) - 6to4
2002:a9fe:a9fe::(embeds169.254.169.254) - IPv4-mapped
::ffff:169.254.169.254 - IPv4-compatible
::a9fe:a9fe
The error message also echoed the resolved internal IP, acting as a minor DNS/oracle leak.
Impact
Server-Side Request Forgery: an unauthenticated attacker can make the server fetch internal-network URLs and cloud instance-metadata endpoints, potentially exposing internal services and cloud credentials.
Fix
The blocklist is replaced by a single rule: reject any resolved IP where not ip.is_global, evaluated on the address AND every embedded IPv4 transition form (v4-mapped, NAT64 64:ff9b::/96, 6to4 2002::/16, v4-compat ::/96). Error messages are now opaque and no longer echo the resolved IP.
Workarounds
- Upgrade to the patched version.
- Enable authentication (
CRAWL4AI_API_TOKEN). - Restrict the container's outbound network access (egress firewall / no metadata route).
Credits
Internal security audit (Crawl4AI maintainers).
Articles & Coverage 1
AnalysisAI
Server-Side Request Forgery in Crawl4AI's Docker API server (versions <= 0.8.7) allows unauthenticated remote attackers to bypass the IPv4/IPv6 CIDR blocklist in validate_webhook_url/validate_url_destination by using IPv6 transition forms (NAT64, 6to4, IPv4-mapped, IPv4-compatible) or the unspecified address. Since the Docker API ships with jwt_enabled:false by default, attackers can pivot the server into fetching cloud metadata endpoints like 169.254.169.254, potentially exposing IAM credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitable against any Crawl4AI Docker API deployment <= 0.8.7 running with the default jwt_enabled:false (no CRAWL4AI_API_TOKEN set) where the attacker can reach one of the vulnerable endpoints (/crawl, /md, /html, /screenshot, /pdf, /execute_js, /crawl/job, /llm/job). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 3.1 base 7.5 (AV:N/AC:L/PR:N/UI:N/C:H/I:N/A:N) accurately reflects an unauthenticated network-reachable SSRF with high confidentiality impact via metadata theft. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker discovers a Crawl4AI Docker API exposed to the internet (or accessible from a tenant in the same VPC) and issues an unauthenticated POST /crawl with url set to http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/. The server resolves the IPv6 form, the legacy blocklist fails to match, and the response containing AWS instance-credentials is returned in the crawl output. … |
| Remediation | Vendor-released patch: upgrade pip/crawl4ai to 0.8.8 or later, which replaces the explicit CIDR blocklist with an ipaddress.is_global check evaluated across all IPv6 transition encodings (v4-mapped, NAT64 64:ff9b::/96, 6to4 2002::/16, v4-compat ::/96) and also makes error messages opaque to remove the DNS/oracle leak; see https://github.com/unclecode/crawl4ai/security/advisories/GHSA-4qqr-vv2q-cmr5. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running Crawl4AI versions <= 0.8.7; confirm network connectivity from these systems to cloud metadata endpoints (169.254.169.254 for AWS, etc.). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac
Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in
Privileged GitHub Actions workflow injection in Quest Bot (Discord moderation bot) prior to version 1.0.3 allows remote
Production deployment compromise in Duck Site before 1.0.1 allows remote attackers to push attacker-controlled code as t
Server-side request forgery in Crawl4AI's Docker API server (versions <= 0.8.8) allows unauthenticated remote attackers
Share
External POC / Exploit Code
Leaving vuln.today