Crawl4AI: SSRF via proxy settings in the Docker server bypasses the crawl-URL SSRF check

When

2026-06-16 21:02 UTC

Where

Global (internet)

Category

cyber_advisory · pip

### Summary The Docker API server applied its SSRF destination check to the crawl target URL only, not to the proxy address. An unauthenticated request could supply a proxy pointing at an internal IP and route the browser through it, reaching internal services and cloud-metadata endpoints, while using a perfectly valid crawl URL. The Docker API is unauthenticated by default. ### Affected paths `/crawl`, `/crawl/stream`, and `/crawl/job` accept a `browser_config` (and `crawler_config`). The following all feed Chromium's egress and were unchecked: - `browser_config.proxy_config.server` - `browser_config.proxy` (deprecated field) - `crawler_config.proxy_config.server` - `--proxy-server` / `--proxy-pac-url` / `--proxy-bypass-list` / `--host-resolver-rules` flags in `browser_config.extra_args` ### Attack An attacker sends `/crawl` with a benign, validation-passing URL but a `proxy_config.server` pointing at an internal IP. Chromium routes all requests through that proxy. For plain-HTTP targets the proxy receives the full request and can return any content, which is then returned verbatim in the crawl result (`results[0].html` / `cleaned_html` / `markdown`). In a real deployment the proxy would be an attacker-controlled server pointing at cloud metadata (e.g. AWS IMDSv1 at 169.254.169.254) to retrieve IAM credential tokens. ### Impact Unauthenticated server-side request forgery to internal services and cloud-metadata endpoints, with the response returned to the attacker. ### Fix Every proxy destination is validated with the same global-routability check used for crawl URLs (reject any resolved address that is not `is_global`, including IPv6 transition forms) before the browser is constructed; proxy/DNS-redirecting flags are stripped from `extra_args`. A legitimate public proxy still works. Honors `CRAWL4AI_ALLOW_INTERNAL_URLS`. ### Workarounds - Upgrade to the patched version (0.8.9). - Enable authentication (`CRAWL4AI_API_TOKEN`). - Restrict the container's outbound network access (egress firewall / no metadata route). ### Credits Geo ([geo-chen](https://github.com/geo-chen)) - reported the proxy_config.server SSRF with a clear PoC.

Sources

• GitHub Advisory Database ↗ · first seen 2026-06-16 21:02 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

• Crawl4AI: Arbitrary file write (symlink/TOCTOU) plus log and webhook-header injection in Docker…
  Shared actorsInvolves pip/crawl4ai, pip/crawl4ai· 83% match
• Crawl4AI: LLM credential exfiltration in Docker server via request base_url and env: token reso…
  Shared actorsInvolves pip/crawl4ai, pip/crawl4ai· 83% match
• Crawl4AI: SSRF filter bypass in Docker server via IPv6 transition forms (NAT64 / 6to4 / unspeci…
  Shared actorsInvolves pip/crawl4ai, pip/crawl4ai· 83% match
• Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API
  Shared actorsInvolves pip/crawl4ai, pip/crawl4ai· 83% match
• Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution
  Shared actorsInvolves pip/crawl4ai, pip/crawl4ai· 83% match

← Back to the live map