What happened
Crawl4AI's Docker API server (before 0.8.8) allowed unauthenticated redirection of LLM API traffic and disclosure of arbitrary environment variables via crafted base_url/api_token parameters on its /md, /llm, and /llm/job endpoints, enabling theft of provider API keys and the signing secret used for auth tokens.
Why it matters
Leaking the JWT SECRET_KEY allows full authentication bypass against the service, while LLM provider key theft enables attacker-controlled billing abuse and further pivoting — a high-severity credential exfiltration bug in a widely used AI web-crawling/LLM-extraction tool.
Attack vector
Unauthenticated attackers can call the exposed /md, /llm, and /llm/job endpoints with a malicious base_url parameter to redirect LLM API calls to an attacker-controlled endpoint, and set api_token to env:VARIABLE_NAME to read arbitrary server-side environment variables — exfiltrating LLM provider API keys and the JWT SECRET_KEY used for authentication.
Affected systems
Crawl4AI before 0.8.8 (Docker API server)
Mitigation
Upgrade Crawl4AI to 0.8.8 or later; do not expose the Docker API server unauthenticated; rotate any LLM provider keys and JWT secrets that may have been exposed.