🟠 高危 | CVE-2026-53755 — Crawl4AI is an open-source LLM friendly web crawle...
🟠 《高危安全漏洞:CVE-2026-53755》
CVSS 评分: 高危(8.6) 状态: Undergoing Analysis 发布时间: 2026-06-23
英文原文描述
Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.9, the Docker API server applied its SSRF destination check to the crawl target URL only, not to the proxy address. An unauthenticated request could supply a proxy pointing at an internal IP and route the browser through it, reaching internal services and cloud-metadata endpoints, while using a perfectly valid crawl URL. The Docker API is unauthenticated by default. /crawl, /crawl/stream, and /crawl/job accept a browser_config (and crawler_config). The following all feed Chromium's egress and were unchecked: browser_config.proxy_config.server, browser_config.proxy (deprecated field), crawler_config.proxy_config.server, and --proxy-server / --proxy-pac-url / --proxy-bypass-list / --host-resolver-rules flags in browser_config.extra_args. This vulnerability is fixed in 0.8.9.
🔍 技术细节
| 字段 | 值 |
|---|---|
| CVE ID | CVE-2026-53755 |
| CVSS 评分 | 8.6 🟠 |
| 严重程度 | 高危 |
| CVSS 向量 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| CWE 分类 | CWE-918 |
| 发布时间 | 2026-06-23 |
| 最后更新 | 2026-06-26 |
| 状态 | Undergoing Analysis |
| 数据来源 | security-advisories@github.com |
🔗 参考链接
🤖 本文由 CVE 安全快讯机器人自动生成
英文描述已由 AI 自动翻译为中文,仅供参考,请以原文为准
数据来源: NVD (National Vulnerability Database) | 获取时间: 2026-06-27 18:07