CVE-2025-28197
📋 TL;DR
Crawl4AI versions up to 0.4.247 contain a Server-Side Request Forgery (SSRF) vulnerability in the async_dispatcher.py component. This allows attackers to make unauthorized requests from the vulnerable server to internal or external systems. Anyone running Crawl4AI web scraping/automation software with the vulnerable component exposed is affected.
💻 Affected Systems
- Crawl4AI
📦 What is this software?
Crawl4ai by Kidocode
⚠️ Risk & Real-World Impact
Worst Case
Attackers could pivot to internal networks, access cloud metadata services, perform port scanning, or interact with internal APIs/services that trust the vulnerable server.
Likely Case
Data exfiltration from internal services, interaction with cloud metadata endpoints (potentially obtaining credentials), or scanning of internal network resources.
If Mitigated
Limited impact if network segmentation restricts outbound connections and internal services require authentication.
🎯 Exploit Status
The GitHub gist shows proof-of-concept exploitation details. SSRF vulnerabilities are commonly weaponized due to their utility in network pivoting.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: > 0.4.247
Vendor Advisory: https://gist.github.com/AndrewDzzz/f49e79b09ce0643ee1fc2a829e8875e0
Restart Required: Yes
Instructions:
1. Upgrade Crawl4AI to version > 0.4.247. 2. Restart the Crawl4AI service/application. 3. Verify the fix by checking the version and testing SSRF protections.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict outbound network connections from Crawl4AI servers using firewall rules.
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP
Input Validation
allImplement URL validation/sanitization in async_dispatcher.py to block internal/restricted addresses.
🧯 If You Can't Patch
- Isolate Crawl4AI servers in a restricted network segment with no access to internal resources.
- Implement a reverse proxy with strict URL filtering to block SSRF attempts before they reach the vulnerable component.
🔍 How to Verify
Check if Vulnerable:
Check if Crawl4AI version is <= 0.4.247 and if async_dispatcher.py endpoint accepts external URLs.Check Version:
pip show crawl4ai | grep VersionVerify Fix Applied:
Test if the patched version rejects requests to internal IPs (127.0.0.1, 192.168.*, 10.*, 172.16-31.*) and cloud metadata endpoints.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from Crawl4AI server
- Requests to internal IP ranges or cloud metadata endpoints
Network Indicators:
- HTTP traffic from Crawl4AI server to unexpected destinations
- Port scanning patterns originating from Crawl4AI server
SIEM Query:
source="crawl4ai_logs" AND (url CONTAINS "169.254.169.254" OR url CONTAINS "metadata.google.internal" OR url MATCHES "10\.\d+\.\d+\.\d+")