python · crawl4aiCritical
crawl4ai: Critical Security Fixes for Arbitrary File Write, CRLF Injection, and Header Injection
Three security fixes: (1) Arbitrary file write via symlink/TOCTOU in screenshot/PDF output_path; (2) CRLF log injection; (3) Webhook request-header injection.
What changed
Three security fixes: (1) Arbitrary file write via symlink/TOCTOU in screenshot/PDF output_path; (2) CRLF log injection; (3) Webhook request-header injection.
Who it affects
Users of crawl4ai Docker API server (unauthenticated by default) who accept user-controlled output_path, URLs, or webhook headers.
What to do today
Upgrade to the patched version immediately; enable CRAWL4AI_API_TOKEN authentication; run container with read-only root filesystem.
The trail
Collected→
Audited→
Written→
Published