Server-side Request Forgery (SSRF) Affecting crawlee package, versions [,1.7.0)


Severity

Recommended
0.0
low
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.29% (21st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-CRAWLEE-17675151
  • published29 Jun 2026
  • disclosed21 May 2026
  • creditUnknown

Introduced: 21 May 2026

CVE-2026-46497  (opens in a new tab)
CWE-918  (opens in a new tab)

How to fix?

Upgrade crawlee to version 1.7.0 or higher.

Overview

crawlee is a Crawlee for Python

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the sitemap or robots.txt processing pipeline. An attacker can coerce the crawler into making requests to internal or non-HTTP endpoints by supplying a malicious sitemap or robots.txt file containing attacker-controlled URLs. This can result in unauthorized access to internal services, reading local files, or interacting with internal network resources, depending on the configured HTTP client and the protocols supported. This is only exploitable if the crawler is configured to load sitemaps or robots.txt files and the attacker can control their contents.

CVSS Base Scores

version 4.0
version 3.1