Crawl4AI: Unauthenticated SSRF on the Docker server streaming crawl path (/crawl/stream) — GHSA-WM69-2PC3-RMMF

Summary

### Summary The Docker API server applied its SSRF destination check (`validate_url_destination`) on the non-streaming `/crawl` path but not on the streaming path. `handle_stream_crawl_request` passed seed URLs straight to the crawler with no destination validation. A remote, unauthenticated client could call `POST /crawl/stream` (or `POST /crawl` with `crawler_config.stream=true`, which short-circuits to the same…

Product

pip: crawl4ai

What to do

General, cautious steps (verify details in the official source):

• Prioritize patching or mitigation immediately (treat as actively risky).
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

• Read the official source

Related advisories