Crawl4AI’s Docker API server performed SSRF destination checking only on the user‑supplied crawl URL, ignoring any proxy configuration supplied by the caller. An unauthenticated request to the /crawl, /crawl/stream, or /crawl/job endpoints can specify a proxy pointing at an internal IP address, and Chromium, acting as the egress agent, forwards requests through this proxy. Because the API does not validate the proxy address, the crawler can reach internal services and cloud‑metadata endpoints while the crawl URL itself passes the destination check. This provides an attacker with internal network access, allowing reconnaissance, data exfiltration, or further exploitation of internal resources. The vulnerability is characterized as an instance of CWE‑918 and was remedied in version 0.8.9.

The issue affects the open‑source Crawl4AI project, specifically any deployment of Crawl4AI versions prior to 0.8.9. Unauthenticated access to the Docker API endpoints – /crawl, /crawl/stream, and /crawl/job – allows an attacker to specify browser_config.proxy_config.server, browser_config.proxy, crawler_config.proxy_config.server, and various extra_args flags that all feed Chromium’s egress without validation. Consequently, any installation running an unpatched version of Crawl4AI and exposing the Docker API to the network is vulnerable.

The CVSS score of 8.6 indicates a high severity exploit that could lead to further compromise. EPSS is not available, but the vulnerability is not listed in the CISA KEV catalog. Attackers would exploit the unauthenticated Docker API, construct a request with a malicious proxy configuration, and have the crawler reach arbitrary internal hosts. If the Docker API is exposed to the public internet or an untrusted network, the risk is elevated and immediate remediation is recommended.