Description
Firecrawl version 2.8.0 and prior contain a server-side request forgery (SSRF) protection bypass vulnerability in the Playwright scraping service where network policy validation is applied only to the initial user-supplied URL and not to subsequent redirect destinations. Attackers can supply an externally valid URL that passes validation and returns an HTTP redirect to an internal or restricted resource, allowing the browser to follow the redirect and fetch the final destination without revalidation, thereby gaining access to internal network services and sensitive endpoints. This issue is distinct from CVE-2024-56800, which describes redirect-based SSRF generally. This vulnerability specifically arises from a post-redirect enforcement gap in implemented SSRF protections, where validation is applied only to the initial request and not to the final redirected destination.
Published: 2026-03-26
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized internal network access via SSRF
Action: Immediate Patch
AI Analysis

Impact

The vulnerability permits an attacker to bypass Firecrawl’s SSRF protection in the Playwright scraping service. By supplying a URL that passes initial validation but redirects to an internal target, the service follows the redirect and fetches data from a privileged resource. This can expose confidential internal endpoints or services, enabling an attacker to read or manipulate data without authentication. The issue is a classic Server‑Side Request Forgery (CWE‑918).

Affected Systems

Firecrawl versions 2.8.0 and earlier are affected. All deployments that use the Playwright scraping service are potentially at risk, regardless of operating environment. Operators should check the package/version in use and plan an update as soon as a patch is released.

Risk and Exploitability

The CVSS base score is 7.8, signifying a high‑severity flaw. No publicly available exploit statistics are reported, and the vulnerability is not yet catalogued in major exploit databases, indicating it is still emerging. An unauthenticated attacker can trigger the flaw by sending a crafted request to the public Playwright endpoint; the server’s missing post‑redirect validation allows the request to reach any internal network address reachable from the scraper, potentially giving the attacker direct access to protected services.

Generated by OpenCVE AI on March 26, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Firecrawl release that contains the SSRF protection fix; if no patch is available, coordinate with vendor for a release timeline.
  • Until a fix is available, isolate the Playwright service’s outbound traffic so it cannot reach internal IP ranges (for example, block internal subnets at the network level or employ firewall rules that reject redirects to private addresses).
  • Enable and review logging for outbound requests from the Playwright service, and monitor for unexpected internal resource access or abnormal redirects.
  • Apply network segmentation or firewall policies to keep the public scraping endpoint separate from internal services, limiting the impact of any potential redirect‑based SSRF.

Generated by OpenCVE AI on March 26, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Firecrawl
Firecrawl firecrawl
Vendors & Products Firecrawl
Firecrawl firecrawl

Thu, 26 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description Firecrawl version 2.8.0 and prior contain a server-side request forgery (SSRF) protection bypass vulnerability in the Playwright scraping service where network policy validation is applied only to the initial user-supplied URL and not to subsequent redirect destinations. Attackers can supply an externally valid URL that passes validation and returns an HTTP redirect to an internal or restricted resource, allowing the browser to follow the redirect and fetch the final destination without revalidation, thereby gaining access to internal network services and sensitive endpoints. This issue is distinct from CVE-2024-56800, which describes redirect-based SSRF generally. This vulnerability specifically arises from a post-redirect enforcement gap in implemented SSRF protections, where validation is applied only to the initial request and not to the final redirected destination.
Title Firecrawl Playwright Service SSRF Protection Bypass via Missing Post-Redirect Validation
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:L'}

Subscriptions

Firecrawl Firecrawl
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T11:18:16.020Z

Reserved: 2026-03-16T18:11:41.759Z

Link: CVE-2026-32857

cve-icon Vulnrichment

Updated: 2026-03-30T11:18:12.263Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T18:16:28.953

Modified: 2026-03-30T13:26:50.827

Link: CVE-2026-32857

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:25:50Z

Weaknesses