crawl4ai Docker API Server Allows LLM Endpoint Control and Environment Variable Exfiltration
The Docker API server allowed attackers to control the LLM endpoint (base_url) and read arbitrary environment variables via env: in api_token, leading to exfiltration of secrets.
What changed
The Docker API server allowed attackers to control the LLM endpoint (base_url) and read arbitrary environment variables via env: in api_token, leading to exfiltration of secrets. The fix ignores request-supplied base_url and blocks env: resolution for protected variable names.
Who it affects
Users running the crawl4ai Docker API server without authentication, especially those with LLM provider API keys or other secrets (e.g., SECRET_KEY, REDIS_PASSWORD) in the server environment.
What to do today
Upgrade to the patched version immediately, enable authentication via CRAWL4AI_API_TOKEN, and avoid storing sensitive secrets alongside provider keys.