Crawl4AI: Unauthenticated RCE via Chromium launch-argument injection in browser_config.extra_args

When

2026-06-18 17:25 UTC

Where

Global (internet)

Category

cyber_advisory · pip

### Summary The Docker API server accepted a request-supplied `browser_config.extra_args`, which flowed into Chromium's launch arguments. An attacker could inject Chromium switches that replace a child-process launch command (`--utility-cmd-prefix`, `--renderer-cmd-prefix`, `--gpu-launcher`, `--browser-subprocess-path`) together with `--no-zygote`, causing Chromium to fork/exec an attacker-controlled command as the container's runtime user. The Docker API is unauthenticated by default, so a single request yields arbitrary command execution. The earlier `extra_args` SSRF patch (0.8.9) used a denylist scoped to proxy/DNS flags; a denylist of launch switches is inherently incomplete, and these command-execution switches were not covered. ### Affected paths `/crawl`, `/crawl/stream`, `/crawl/job` accepting a request `browser_config.extra_args`. ### Impact Unauthenticated remote code execution as the container runtime user; full read/write of application data, mounted secrets, environment, and tokens, and out-of-band exfiltration independent of the HTTP response. ### Fix 0.9.0 establishes a trust boundary for request-supplied configuration: `extra_args` (along with other power fields such as `proxy`, `user_data_dir`, `cdp_url`, `init_scripts`) is a forbidden field for untrusted request bodies. Any request that sets `extra_args` is rejected with HTTP 400 rather than scrubbed against an always-incomplete denylist. In-process SDK callers (trusted) are unaffected. ### Workarounds - Upgrade to the patched version (0.9.0). - Enable authentication (`CRAWL4AI_API_TOKEN`) and restrict who can reach the API. - Run the container with a restrictive seccomp profile and no ability to exec helper binaries. ### Credits Y4tacker - reported the `--no-zygote` + `--utility-cmd-prefix` command-injection chain with a confirmed in-container PoC and an allowlist/reject recommendation. UDU_RisePho (hoanggxyuuki) - independently reported the request-supplied Chromium launch-flag RCE class (`--renderer-cmd-prefix`), confirmed still reproducing on 0.8.9.

Sources

• GitHub Advisory Database ↗ · first seen 2026-06-18 17:25 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

• Crawl4AI: Unauthenticated SSRF on the Docker server streaming crawl path (/crawl/stream)
  Shared actorsInvolves pip/crawl4ai, pip/crawl4ai· 81% match
• Crawl4AI: Arbitrary file write (path traversal) in crawler downloads can lead to RCE
  Shared actorsInvolves pip/crawl4ai, pip/crawl4ai· 81% match
• Crawl4AI: SSRF via proxy settings in the Docker server bypasses the crawl-URL SSRF check
  Shared actorsInvolves pip/crawl4ai, pip/crawl4ai· 72% match
• Crawl4AI: Arbitrary file write (symlink/TOCTOU) plus log and webhook-header injection in Docker…
  Shared actorsInvolves pip/crawl4ai, pip/crawl4ai· 72% match
• Crawl4AI: LLM credential exfiltration in Docker server via request base_url and env: token reso…
  Shared actorsInvolves pip/crawl4ai, pip/crawl4ai· 72% match
• Crawl4AI: SSRF filter bypass in Docker server via IPv6 transition forms (NAT64 / 6to4 / unspeci…
  Shared actorsInvolves pip/crawl4ai, pip/crawl4ai· 72% match
• Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API
  Shared actorsInvolves pip/crawl4ai, pip/crawl4ai· 72% match
• Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution
  Shared actorsInvolves pip/crawl4ai, pip/crawl4ai· 72% match

← Back to the live map