Description
Crawlee is a web scraping and browser automation library. From version 1.0.0 to before version 1.7.0, Crawlee is vulnerable to SSRF via sitemap-derived URLs. This issue has been patched in version 1.7.0.
Published: 2026-06-10
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Crawlee, a web scraping and browser automation library, contains an SSRF flaw in versions prior to 1.7.0 that stems from processing URLs extracted from sitemaps. The vulnerability allows an attacker to influence the URL parameter accepted by the library, potentially causing the application to resolve and request arbitrary addresses. This could expose internal services and server resources to unintended outsiders, undermining confidentiality and potentially allowing further exploitation if the internal network is compromised.

Affected Systems

Affected systems include the Apify Crawlee Python library, any application that imports and uses it, specifically versions 1.0.0 through 1.6.x. The issue does not affect other versions, such as 1.7.0 and newer, which have the SSRF patch applied.

Risk and Exploitability

With a CVSS score of 2.3 the risk is classed as low, and EPSS data is not available so exploitation likelihood cannot be quantified from public metrics. The vulnerability is not listed in CISA KEV, further indicating limited known exploitation. The likely attack vector involves an attacker supplying or manipulating a sitemap URL that the application processes, which is a typical scenario for web crawlers or automated data collection services. Consequently, any application that automatically consumes external sitemaps could be at risk if not properly isolated or constrained.

Generated by OpenCVE AI on June 10, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Crawlee Python to version 1.7.0 or later
  • Restrict or sanitize sitemap URLs to prevent internal or private network addresses from being processed
  • Implement network segmentation or firewall rules to block outbound connections to internal IP ranges from the application environment

Generated by OpenCVE AI on June 10, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3r75-xc34-5f44 Crawlee for Python: SSRF via sitemap-derived URLs
History

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Crawlee is a web scraping and browser automation library. From version 1.0.0 to before version 1.7.0, Crawlee is vulnerable to SSRF via sitemap-derived URLs. This issue has been patched in version 1.7.0.
Title SSRF via sitemap-derived URLs in Crawlee for Python
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T18:19:35.807Z

Reserved: 2026-05-14T18:06:06.812Z

Link: CVE-2026-46497

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-10T16:17:08.890

Modified: 2026-06-10T20:19:06.020

Link: CVE-2026-46497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T18:00:15Z

Weaknesses