What happened
Prior to version 0.9.0, Crawl4AI's Docker API server passed user-supplied browser_config.extra_args directly into Chromium's launch arguments without sanitization. Because these arguments control the child process invocation, an attacker could substitute the launch command entirely, resulting in remote code execution with no authentication required beyond API access.
Why it matters
Crawl4AI is a popular open-source crawler purpose-built for feeding LLM/RAG pipelines. A CVSS 10.0 unauthenticated RCE in its Docker API server means any internet-facing or multi-tenant Crawl4AI deployment used to source content for AI applications can be fully taken over, enabling data theft, lateral movement into connected AI infrastructure, or use as a foothold for further attacks — directly analogous to the JadePuffer/Langflow pattern of AI-tool RCE leading to full compromise.
Attack vector
The Docker API server accepts request-supplied browser_config.extra_args, which flow unsanitized into Chromium's launch arguments. An attacker can inject Chromium command-line switches that replace the child-process launch command, achieving arbitrary code execution on the server hosting the crawler.
Affected systems
Crawl4AI (unclecode/crawl4ai) Docker API server, versions prior to 0.9.0
Mitigation
Upgrade to Crawl4AI >= 0.9.0. Do not expose the Crawl4AI Docker API server to untrusted networks without an allowlist on browser_config parameters.