Crawl4AI - Server-Side Request Forgery via Direct Crawl Endpoints
Description
Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4 addresses to reach internal services and cloud metadata endpoints.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
crawl4aiPyPI | < 0.8.7 | 0.8.7 |
Affected products
1Patches
Vulnerability mechanics
Root cause
"The server's internal-address blocklist does not normalize IPv6-mapped IPv4 addresses before comparison, allowing SSRF bypass."
Attack vector
An unauthenticated attacker sends a crafted request to any of the vulnerable endpoints (`/crawl`, `/crawl/stream`, `/md`, `/llm`) with a URL that uses an IPv6-mapped IPv4 address (e.g., `http://[::ffff:127.0.0.1]:...` or `http://[::ffff:a9fe:a9fe]/latest/meta-data/`). The server's blocklist checks for plain IPv4 private ranges but does not recognize the IPv6-mapped form, allowing the request to reach internal services or cloud metadata endpoints [CWE-918]. No authentication is required, so any network-accessible instance can be targeted [CWE-306].
Affected code
The vulnerability affects the `/crawl`, `/crawl/stream`, `/md`, and `/llm` endpoints in the Crawl4AI Docker API server. These endpoints accept arbitrary user-supplied URLs and fetch them without validating the destination, and the internal-address blocklist can be bypassed using IPv6-mapped IPv4 addresses.
What the fix does
The patch in Crawl4AI v0.8.7 introduces a `DomainMapper` component that normalizes all URL hostnames before the blocklist check, converting IPv6-mapped IPv4 addresses into their canonical IPv4 form. This ensures that addresses like `::ffff:127.0.0.1` are recognized as loopback and blocked. The advisory does not show the exact diff, but the release notes confirm the addition of `DomainMapper` and the closure of the SSRF bypass.
Preconditions
- configThe Crawl4AI Docker API server must be running and network-accessible (default port 11235).
- authNo authentication token is required; the endpoints are exposed without auth.
- networkThe attacker must be able to send HTTP POST requests to the server.
- inputThe attacker supplies a URL containing an IPv6-mapped IPv4 address in the request body.
Generated on Jun 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-365w-hqf6-vxfgghsaADVISORY
- github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfgghsavendor-advisoryWEB
- www.vulncheck.com/advisories/crawl4ai-server-side-request-forgery-via-direct-crawl-endpointsmitrethird-party-advisory
News mentions
0No linked articles in our index yet.