{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/crawl4ai--0.8.9/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["crawl4ai (\u003c= 0.8.9)"],"_cs_severities":["high"],"_cs_tags":["ssrf","web-application","docker","unauthenticated","api-exploitation"],"_cs_type":"advisory","_cs_vendors":["Crawl4AI"],"content_html":"\u003cp\u003eA remote, unauthenticated attacker can exploit an unpatched Server-Side Request Forgery (SSRF) vulnerability in the Crawl4AI Docker API server, specifically targeting versions up to 0.8.9. The vulnerability exists because the \u003ccode\u003ehandle_stream_crawl_request\u003c/code\u003e function, used by \u003ccode\u003ePOST /crawl/stream\u003c/code\u003e and \u003ccode\u003ePOST /crawl\u003c/code\u003e with \u003ccode\u003ecrawler_config.stream=true\u003c/code\u003e, fails to validate the destination of provided seed URLs. This oversight allows attackers to supply URLs pointing to internal networks, private IP addresses, or cloud-metadata endpoints (e.g., \u003ccode\u003ehttp://169.254.169.254/\u003c/code\u003e). The server then fetches the content from these internal resources and streams the response directly back to the attacker, potentially leading to unauthorized access to sensitive information like cloud IAM credentials or details about internal services. This critical flaw highlights a gap in the API's security checks, which was previously intended to prevent such attacks on non-streaming paths but was overlooked for streaming functionalities. The Docker API is often unauthenticated by default, increasing the attack surface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an internet-facing Crawl4AI Docker API server (version \u0026lt;= 0.8.9).\u003c/li\u003e\n\u003cli\u003eAttacker crafts an unauthenticated \u003ccode\u003ePOST\u003c/code\u003e request targeting the \u003ccode\u003e/crawl/stream\u003c/code\u003e endpoint, or the \u003ccode\u003e/crawl\u003c/code\u003e endpoint with \u003ccode\u003ecrawler_config.stream=true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWithin the request body, the attacker includes a malicious seed URL pointing to an internal, private, or link-local address, such as \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Crawl4AI server's \u003ccode\u003ehandle_stream_crawl_request\u003c/code\u003e function processes the request without applying the necessary \u003ccode\u003evalidate_url_destination\u003c/code\u003e check.\u003c/li\u003e\n\u003cli\u003eThe server initiates an outbound connection to the specified internal URL, fetching the content of the internal resource (e.g., cloud instance metadata).\u003c/li\u003e\n\u003cli\u003eThe fetched response body (e.g., AWS IAM temporary credentials) is then streamed back by the Crawl4AI server to the unauthenticated attacker's client.\u003c/li\u003e\n\u003cli\u003eThe attacker receives and extracts sensitive internal information or credentials from the streamed response.\u003c/li\u003e\n\u003cli\u003eAttacker potentially uses the obtained credentials to escalate privileges or access other internal cloud resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis unauthenticated Server-Side Request Forgery (SSRF) allows remote attackers to read arbitrary internal services and cloud-metadata endpoints. This can expose highly sensitive information such as cloud IAM temporary credentials (e.g., from \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/iam/security-credentials/\u003c/code\u003e), internal network topology, or other confidential data hosted on inaccessible internal systems. The vulnerability is considered high severity due to its unauthenticated nature and direct access to internal resources, which is similar in class and impact to previously identified SSRF flaws in the project. Successful exploitation could lead to privilege escalation, data exfiltration, or broader compromise of cloud environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Crawl4AI instances to version 0.9.0 or later to patch the SSRF vulnerability.\u003c/li\u003e\n\u003cli\u003eEnable authentication on the Crawl4AI Docker API and restrict access to authorized users/systems only.\u003c/li\u003e\n\u003cli\u003eImplement egress filtering or network segmentation to restrict outbound network access from Crawl4AI containers, preventing connections to internal or metadata service IP ranges like \u003ccode\u003e169.254.169.254\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect attempts at exploiting the \u003ccode\u003e/crawl/stream\u003c/code\u003e or \u003ccode\u003e/crawl\u003c/code\u003e (with \u003ccode\u003ecrawler_config.stream=true\u003c/code\u003e) endpoints with internal IP addresses.\u003c/li\u003e\n\u003cli\u003eEnsure webserver access logs are enabled and ingested into your SIEM for the Crawl4AI application to allow detection of malicious \u003ccode\u003ePOST\u003c/code\u003e requests targeting \u003ccode\u003e/crawl/stream\u003c/code\u003e or \u003ccode\u003e/crawl\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T17:41:17Z","date_published":"2026-06-18T17:41:17Z","id":"https://feed.craftedsignal.io/briefs/2026-06-crawl4ai-ssrf/","summary":"A remote, unauthenticated attacker can exploit an unpatched Server-Side Request Forgery (SSRF) vulnerability in Crawl4AI Docker API versions up to 0.8.9, specifically targeting the `/crawl/stream` endpoint, to read internal network services and cloud-metadata endpoints, potentially exposing sensitive information like IAM credentials.","title":"Crawl4AI Unauthenticated SSRF in Docker API `crawl/stream` Endpoint","url":"https://feed.craftedsignal.io/briefs/2026-06-crawl4ai-ssrf/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["crawl4ai (\u003c= 0.8.9)"],"_cs_severities":["critical"],"_cs_tags":["RCE","web-vulnerability","Chromium","container","Docker","Linux"],"_cs_type":"advisory","_cs_vendors":["Crawl4AI"],"content_html":"\u003cp\u003eA critical unauthenticated remote code execution (RCE) vulnerability exists in Crawl4AI, affecting versions up to 0.8.9, where the Docker API server improperly processes \u003ccode\u003ebrowser_config.extra_args\u003c/code\u003e from untrusted request bodies. This flaw allows an attacker to inject Chromium launch arguments, specifically those that can replace child-process launch commands like \u003ccode\u003e--utility-cmd-prefix\u003c/code\u003e, \u003ccode\u003e--renderer-cmd-prefix\u003c/code\u003e, \u003ccode\u003e--gpu-launcher\u003c/code\u003e, or \u003ccode\u003e--browser-subprocess-path\u003c/code\u003e, when combined with \u003ccode\u003e--no-zygote\u003c/code\u003e. By leveraging these arguments, Chromium is forced to fork and execute an attacker-controlled command as the container's runtime user, leading to full compromise. The vulnerability stems from an incomplete denylist approach in earlier versions, which failed to cover critical command execution switches. If exploited, an attacker gains complete control over the container, including access to sensitive application data, mounted secrets, environment variables, and tokens, enabling out-of-band data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an exposed and unauthenticated Crawl4AI Docker API endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated HTTP POST request to a vulnerable API path, such as \u003ccode\u003e/crawl\u003c/code\u003e, \u003ccode\u003e/crawl/stream\u003c/code\u003e, or \u003ccode\u003e/crawl/job\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request body includes \u003ccode\u003ebrowser_config.extra_args\u003c/code\u003e containing specially crafted Chromium launch arguments.\u003c/li\u003e\n\u003cli\u003eMalicious arguments typically include a child-process launch command (e.g., \u003ccode\u003e--utility-cmd-prefix\u003c/code\u003e) combined with \u003ccode\u003e--no-zygote\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Crawl4AI application passes these arguments to Chromium during its launch configuration.\u003c/li\u003e\n\u003cli\u003eChromium, influenced by the injected arguments, forks and executes an attacker-controlled command instead of its intended child process.\u003c/li\u003e\n\u003cli\u003eThe attacker's command executes as the container's runtime user, achieving remote code execution.\u003c/li\u003e\n\u003cli\u003ePost-exploitation, the attacker can access sensitive data, exfiltrate information, or establish further persistence within the compromised container.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to unauthenticated remote code execution (RCE) as the container's runtime user. This grants attackers full read/write access to all application data, mounted secrets, environment variables, and security tokens within the affected container. Attackers can exfiltrate sensitive data out-of-band, install additional malware, or pivot to other systems. Organizations using vulnerable Crawl4AI Docker deployments are at severe risk of data breaches, system compromise, and significant operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eUpgrade Crawl4AI to version 0.9.0 immediately\u003c/strong\u003e to address the fundamental trust boundary issue that allows injection of dangerous configuration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable authentication\u003c/strong\u003e by configuring \u003ccode\u003eCRAWL4AI_API_TOKEN\u003c/code\u003e and restrict API access to trusted networks and users.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRun Crawl4AI containers with a restrictive seccomp profile\u003c/strong\u003e to limit the ability of processes within the container to execute helper binaries, mitigating the impact of potential RCE.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rules in this brief\u003c/strong\u003e to your SIEM for detection of exploitation attempts and post-exploitation activity.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnsure process creation logging is enabled for Linux containers\u003c/strong\u003e to allow detection of suspicious \u003ccode\u003echromium\u003c/code\u003e child processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T17:40:10Z","date_published":"2026-06-18T17:40:10Z","id":"https://feed.craftedsignal.io/briefs/2026-06-crawl4ai-unauth-rce/","summary":"An attacker can achieve unauthenticated remote code execution (RCE) in Crawl4AI Docker deployments by injecting malicious Chromium launch arguments, such as `--utility-cmd-prefix` and `--no-zygote`, into the `browser_config.extra_args` field of the API request, allowing for arbitrary command execution as the container's runtime user.","title":"Crawl4AI Unauthenticated RCE via Chromium Launch-Argument Injection","url":"https://feed.craftedsignal.io/briefs/2026-06-crawl4ai-unauth-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Crawl4ai (\u003c= 0.8.9)","version":"https://jsonfeed.org/version/1.1"}