CVE-2026-53755

The Docker API server applied its SSRF destination check to the crawl target URL only, not to the proxy address. An unauthenticated request could supply a proxy pointing at an internal IP and route the browser through it, reaching internal services and cloud-metadata endpoints, while using a perfectly valid crawl URL. The Docker API is unauthenticated by default.

/crawl, /crawl/stream, and /crawl/job accept a browser config (and crawler config). The following all feed Chromium's egress and were unchecked:

An attacker sends /crawl with a benign, validation-passing URL but a proxy config.server pointing at an internal IP. Chromium routes all requests through that proxy. For plain-HTTP targets the proxy receives the full request and can return any content, which is then returned verbatim in the crawl result (results[0].html / cleaned html / markdown). In a real deployment the proxy would be an attacker-controlled server pointing at cloud metadata (e.g. AWS IMDSv1 at 169.254.169.254) to retrieve IAM credential tokens.

Unauthenticated server-side request forgery to internal services and cloud-metadata endpoints, with the response returned to the attacker.

Every proxy destination is validated with the same global-routability check used for crawl URLs (reject any resolved address that is not is global, including IPv6 transition forms) before the browser is constructed; proxy/DNS-redirecting flags are stripped from extra args. A legitimate public proxy still works. Honors CRAWL4AI ALLOW INTERNAL URLS.

Geo (geo-chen) - reported the proxy config.server SSRF with a clear PoC.