CVE-2026-32857

Name of the Vulnerable Software and Affected Versions Firecrawl versions 2.8.0 and earlier

Description The software contains a server-side request forgery (SSRF) protection bypass in the Playwright scraping service. The network policy validation is applied only to the initial URL provided by the user and not to subsequent redirect destinations. An attacker can provide a valid URL that passes validation and redirects to an internal or restricted resource. The browser then follows the redirect and fetches the final destination without revalidation, potentially granting access to internal network services and sensitive endpoints. This issue differs from a general redirect-based SSRF. The problem stems from a gap in enforcement of SSRF protections after a redirect, where validation occurs only on the initial request, not the final redirected destination.

Recommendations Versions prior to 2.8.0 should be updated.