What happened
The Crawl4AI Docker API's SSRF protection validates only the crawl target URL. The proxy parameter is not subject to the same destination check, allowing an unauthenticated caller to route the headless browser through any address — including internal cloud metadata endpoints (169.254.169.254), internal APIs, or other network-adjacent services.
Why it matters
In cloud-deployed AI pipelines, this SSRF enables exfiltration of instance metadata credentials (AWS/GCP/Azure IAM tokens), access to internal AI model serving endpoints, and reconnaissance of private network topology — all without authentication.
Attack vector
Unauthenticated attacker sends a crawl request with a proxy address pointing to an internal IP; the Docker API server validates only the crawl target URL, not the proxy address, routing browser traffic through the attacker-specified internal proxy
Affected systems
Crawl4AI < 0.8.9
Mitigation
Upgrade to Crawl4AI 0.8.9. Advisory: https://github.com/unclecode/crawl4ai/security/advisories/GHSA-6qhc-x826-342c