| Version | Supported |
|---|---|
| 0.8.x | ✅ |
| 0.7.x | ❌ (upgrade recommended) |
| < 0.7 | ❌ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please report via one of these methods:
-
GitHub Security Advisories (Preferred)
- Go to Security Advisories
- Click "New draft security advisory"
- Fill in the details
-
Email
- Send details to: security@crawl4ai.com
- Use subject:
[SECURITY] Brief description - Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Resolution Timeline: Depends on severity
- Critical: 24-72 hours
- High: 7 days
- Medium: 30 days
- Low: 90 days
- We follow responsible disclosure practices
- We will coordinate with you on disclosure timing
- Credit will be given to reporters (unless anonymity is requested)
- We may request CVE assignment for significant vulnerabilities
If you're running the Crawl4AI Docker API in production:
-
Enable Authentication
# config.yml security: enabled: true jwt_enabled: true
# Set a strong secret key export SECRET_KEY="your-secure-random-key-here"
-
Hooks are Disabled by Default (v0.8.0+)
- Only enable if you trust all API users
- Set
CRAWL4AI_HOOKS_ENABLED=trueonly when necessary
-
Network Security
- Run behind a reverse proxy (nginx, traefik)
- Use HTTPS in production
- Restrict access to trusted IPs if possible
-
Container Security
- Run as non-root user (default in our container)
- Use read-only filesystem where possible
- Limit container resources
When using Crawl4AI as a Python library:
- Validate URLs before crawling untrusted input
- Sanitize extracted content before using in other systems
- Be cautious with hooks - they execute arbitrary code
| ID | Severity | Description | Fix |
|---|---|---|---|
| CVE-pending-1 | CRITICAL | RCE via hooks __import__ |
Removed from allowed builtins |
| CVE-pending-2 | HIGH | LFI via file:// URLs |
URL scheme validation added |
See Security Advisory for details.
- URL Scheme Validation: Blocks
file://,javascript:,data:URLs on API - Hooks Disabled by Default: Opt-in via
CRAWL4AI_HOOKS_ENABLED=true - Restricted Hook Builtins: No
__import__,eval,exec,open - JWT Authentication: Optional but recommended for production
- Rate Limiting: Configurable request limits
- Security Headers: X-Frame-Options, CSP, HSTS when enabled
We thank the following security researchers for responsibly disclosing vulnerabilities:
- Neo by ProjectDiscovery - RCE and LFI vulnerabilities (December 2025)
Last updated: January 2026