"details": "### Summary\n\nMultiple security vulnerabilities in the Crawl4AI Docker API server affecting endpoints for crawling, markdown/LLM extraction, screenshots, PDFs, webhooks, monitoring, JavaScript execution, and configuration.\n\n### Vulnerabilities\n\n#### 1. Arbitrary File Write via /screenshot and /pdf (CWE-22, CVSS 9.1)\n\nThe `output_path` parameter accepts arbitrary filesystem paths with no validation. An attacker can overwrite server files (DoS) or write to any appuser-writable location.\n\n**Fix:** Added `validate_output_path()` restricting writes to `CRAWL4AI_OUTPUT_DIR` (/tmp/crawl4ai-outputs by default). Added Pydantic `field_validator` rejecting `..` traversal sequences.\n\n#### 2. SSRF via Webhook URL (CWE-918, CVSS 8.6)\n\nWebhook URLs in `/crawl/job` and `/llm/job` accept internal/private IPs with no validation, enabling Server-Side Request Forgery against cloud metadata endpoints (169.254.169.254), internal services, and Docker networks.\n\n**Fix:** Added `validate_webhook_url()` with blocklist for RFC 1918, loopback, link-local, cloud metadata IPs and hostnames. Validation at both job submission and send time. Explicit `follow_redirects=False`.\n\n#### 3. Authentication Bypass on Monitor Endpoints (CWE-306, CVSS 6.5)\n\nThe monitor router was mounted without `token_dep` dependency, making all monitoring endpoints (including destructive ones like `/monitor/actions/cleanup`) accessible without authentication.\n\n**Fix:** Added `dependencies=[Depends(token_dep)]` to monitor router. Added explicit token check on WebSocket `/monitor/ws` endpoint.\n\n#### 4. Stored XSS in Monitor Dashboard (CWE-79, CVSS 6.1)\n\nURLs and error messages rendered in the monitor dashboard via `innerHTML` without escaping, enabling stored XSS via crafted crawl URLs.\n\n**Fix:** Server-side `html.escape()` on URL and error storage. Client-side `escapeHtml()` wrapper on all `innerHTML` template injections.\n\n#### 5. Arbitrary JavaScript Execution via /execute_js (CWE-94, CVSS 8.1)\n\nThe `/execute_js` endpoint accepts and executes arbitrary JavaScript in the server's browser with `--disable-web-security` enabled, combining arbitrary JS execution with SSRF capability.\n\n**Fix:** Disabled by default via `CRAWL4AI_EXECUTE_JS_ENABLED` env var. Added SSRF blocklist on destination URL. Removed `--disable-web-security` from default browser args.\n\n#### 6. Hardcoded JWT Secret Key (CWE-798, CVSS 9.8)\n\nThe JWT signing key defaults to `\"mysecret\"` in the public source code, allowing anyone to forge valid authentication tokens.\n\n**Fix:** Removed default value. Added startup validation rejecting weak/short secrets. Auto-generates ephemeral key when JWT enabled but no key set.\n\n#### 7. SSRF via Direct Crawl Endpoints /crawl, /md, /llm (CWE-918, CVSS 8.6)\n\nThe primary crawl entry points (`/crawl`, `/crawl/stream`, `/md`, `/llm`) fetch arbitrary user-supplied URLs with no destination validation, enabling Server-Side Request Forgery against internal services, Docker networks, and cloud metadata endpoints (169.254.169.254). A blocklist that only inspects the literal hostname is additionally bypassable via IPv6-mapped IPv4 addresses (e.g. `[::ffff:169.254.169.254]`, `[::ffff:10.0.0.1]`), which resolve to the blocked private/metadata ranges but evade a naive string check.\n\n**Fix:** Added URL destination validation on all crawl/md/llm entry points, reusing the SSRF blocklist (RFC 1918, loopback, link-local, cloud-metadata IPs and hostnames). IPv6-mapped IPv4 addresses are normalized to their IPv4 form before the blocklist check, closing the mapping bypass. `raw://` URLs are skipped. Validation applies at request entry, not only at fetch time.\n\n### Workarounds\n\n1. Upgrade to the patched version (recommended)\n2. Set `CRAWL4AI_API_TOKEN` to enable authentication\n3. Set a strong `SECRET_KEY` (min 32 chars) if using JWT\n4. Restrict network access to the Docker API\n\n### Credits\n\n- Jeongbean Jeon - file write, SSRF, monitor auth bypass, stored XSS\n- wulonchia - file write via output_path (independent report)\n- by111 ([August829](https://github.com/August829)) - hardcoded JWT, eval in /config/dump, /execute_js, hook sandbox escape\n- secsys_codex - SSRF via /md, /crawl, /llm endpoints + IPv6-mapped IPv4 bypass (URL destination validation)\n- Velayutham Selvaraj ([LinkedIn](https://www.linkedin.com/in/velayuthamselvaraj)) - SSRF via missing host validation in validate_url_scheme (independent report)\n- IcySun & Yashon - SSRF, arbitrary file write, missing-auth-by-default, hook sandbox bypass via asyncio (independent report)",
0 commit comments