Server-side Request Forgery (SSRF) Affecting crawl4ai package, versions [,0.8.8)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-CRAWL4AI-17661137
  • published28 Jun 2026
  • disclosed16 Jun 2026
  • creditgeo-chen

Introduced: 16 Jun 2026

New CVE NOT AVAILABLE CWE-522  (opens in a new tab)
CWE-918  (opens in a new tab)

How to fix?

Upgrade Crawl4AI to version 0.8.8 or higher.

Overview

Crawl4AI is a 🚀🤖 Crawl4AI: Open-source LLM Friendly Web Crawler & scraper

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the base_url parameter in API requests and the resolution of environment variables in the LLM configuration process. An attacker can obtain sensitive server-held secrets, such as provider API keys or authentication tokens, by supplying a malicious base_url or referencing protected environment variables in the request.

References

CVSS Base Scores

version 4.0
version 3.1