In crawl4ai versions before 0.8.9, the Docker API server's SSRF protection was incomplete, applying checks only to the crawl target URL but not to proxy addresses supplied in browser or crawler configurations. An unauthenticated attacker could exploit this by providing a proxy configuration that routes requests through internal IP addresses or cloud metadata endpoints, potentially exposing sensitive internal resources. The affected proxy configuration fields include browser_config.proxy_config.server, browser_config.proxy (deprecated), crawler_config.proxy_config.server, and various proxy-related flags in browser_config.extra_args. The Docker API is unauthenticated by default, increasing the risk. This vulnerability was addressed and fixed in version 0.8.9.

An unauthenticated attacker can exploit this SSRF vulnerability to route crawler traffic through internal network proxies, potentially accessing internal services and cloud metadata endpoints that are otherwise inaccessible. This could lead to unauthorized information disclosure of sensitive internal resources. The vulnerability does not impact integrity or availability but has high confidentiality impact.

This vulnerability is fixed in crawl4ai version 0.8.9. Users should upgrade to version 0.8.9 or later to remediate this issue. Since the Docker API is unauthenticated by default, it is also recommended to restrict access to the Docker API server to trusted users and networks to reduce exposure. Patch status is not explicitly stated as 'official-fix' in the advisory, but the fix is included in version 0.8.9 as per the vendor's description.