Skip to content

Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution

Critical
unclecode published GHSA-365w-hqf6-vxfg Jun 2, 2026

Package

pip crawl4ai (pip)

Affected versions

<= 0.8.6

Patched versions

0.8.7

Description

Summary

Multiple security vulnerabilities in the Crawl4AI Docker API server affecting endpoints for crawling, markdown/LLM extraction, screenshots, PDFs, webhooks, monitoring, JavaScript execution, and configuration.

Vulnerabilities

1. Arbitrary File Write via /screenshot and /pdf (CWE-22, CVSS 9.1)

The output_path parameter accepts arbitrary filesystem paths with no validation. An attacker can overwrite server files (DoS) or write to any appuser-writable location.

Fix: Added validate_output_path() restricting writes to CRAWL4AI_OUTPUT_DIR (/tmp/crawl4ai-outputs by default). Added Pydantic field_validator rejecting .. traversal sequences.

2. SSRF via Webhook URL (CWE-918, CVSS 8.6)

Webhook URLs in /crawl/job and /llm/job accept internal/private IPs with no validation, enabling Server-Side Request Forgery against cloud metadata endpoints (169.254.169.254), internal services, and Docker networks.

Fix: Added validate_webhook_url() with blocklist for RFC 1918, loopback, link-local, cloud metadata IPs and hostnames. Validation at both job submission and send time. Explicit follow_redirects=False.

3. Authentication Bypass on Monitor Endpoints (CWE-306, CVSS 6.5)

The monitor router was mounted without token_dep dependency, making all monitoring endpoints (including destructive ones like /monitor/actions/cleanup) accessible without authentication.

Fix: Added dependencies=[Depends(token_dep)] to monitor router. Added explicit token check on WebSocket /monitor/ws endpoint.

4. Stored XSS in Monitor Dashboard (CWE-79, CVSS 6.1)

URLs and error messages rendered in the monitor dashboard via innerHTML without escaping, enabling stored XSS via crafted crawl URLs.

Fix: Server-side html.escape() on URL and error storage. Client-side escapeHtml() wrapper on all innerHTML template injections.

5. Arbitrary JavaScript Execution via /execute_js (CWE-94, CVSS 8.1)

The /execute_js endpoint accepts and executes arbitrary JavaScript in the server's browser with --disable-web-security enabled, combining arbitrary JS execution with SSRF capability.

Fix: Disabled by default via CRAWL4AI_EXECUTE_JS_ENABLED env var. Added SSRF blocklist on destination URL. Removed --disable-web-security from default browser args.

6. Hardcoded JWT Secret Key (CWE-798, CVSS 9.8)

The JWT signing key defaults to "mysecret" in the public source code, allowing anyone to forge valid authentication tokens.

Fix: Removed default value. Added startup validation rejecting weak/short secrets. Auto-generates ephemeral key when JWT enabled but no key set.

7. SSRF via Direct Crawl Endpoints /crawl, /md, /llm (CWE-918, CVSS 8.6)

The primary crawl entry points (/crawl, /crawl/stream, /md, /llm) fetch arbitrary user-supplied URLs with no destination validation, enabling Server-Side Request Forgery against internal services, Docker networks, and cloud metadata endpoints (169.254.169.254). A blocklist that only inspects the literal hostname is additionally bypassable via IPv6-mapped IPv4 addresses (e.g. [::ffff:169.254.169.254], [::ffff:10.0.0.1]), which resolve to the blocked private/metadata ranges but evade a naive string check.

Fix: Added URL destination validation on all crawl/md/llm entry points, reusing the SSRF blocklist (RFC 1918, loopback, link-local, cloud-metadata IPs and hostnames). IPv6-mapped IPv4 addresses are normalized to their IPv4 form before the blocklist check, closing the mapping bypass. raw:// URLs are skipped. Validation applies at request entry, not only at fetch time.

Workarounds

  1. Upgrade to the patched version (recommended)
  2. Set CRAWL4AI_API_TOKEN to enable authentication
  3. Set a strong SECRET_KEY (min 32 chars) if using JWT
  4. Restrict network access to the Docker API

Credits

  • Jeongbean Jeon - file write, SSRF, monitor auth bypass, stored XSS
  • wulonchia - file write via output_path (independent report)
  • by111 (August829) - hardcoded JWT, eval in /config/dump, /execute_js, hook sandbox escape
  • secsys_codex - SSRF via /md, /crawl, /llm endpoints + IPv6-mapped IPv4 bypass (URL destination validation)
  • Velayutham Selvaraj (LinkedIn) - SSRF via missing host validation in validate_url_scheme (independent report)
  • IcySun & Yashon - SSRF, arbitrary file write, missing-auth-by-default, hook sandbox bypass via asyncio (independent report)

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID

No known CVE

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. Learn more on MITRE.

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. Learn more on MITRE.

Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key. Learn more on MITRE.

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.

Credits