Firecrawl SSRF Vulnerability via malicious webhook_CVE-2025-57818

6.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Description

Firecrawl turns entire websites into LLM-ready markdown or structured data. Prior to version 2.0.1, a server-side request forgery (SSRF) vulnerability was discovered in Firecrawl's webhook functionality. Authenticated users could configure a webhook to an internal URL and send POST requests with arbitrary headers, which may have allowed access to internal systems. This has been fixed in version 2.0.1. If upgrading is not possible, it is recommend to isolate Firecrawl from any sensitive internal systems.

Basic Information

ID CVE-2025-57818

Source GitHub_M

Published Aug 26, 2025 at 17:52

Affected Product

Vendor firecrawl

Product firecrawl

Version < 2.0.1

Affected Versions firecrawl firecrawl < 2.0.1

CWE Classification

CWE-918

References

{
    "lastseen": "",
    "description": "Firecrawl turns entire websites into LLM-ready markdown or structured data. Prior to version 2.0.1, a server-side request forgery (SSRF) vulnerability was discovered in Firecrawl's webhook functionality. Authenticated users could configure a webhook to an internal URL and send POST requests with arbitrary headers, which may have allowed access to internal systems. This has been fixed in version 2.0.1. If upgrading is not possible, it is recommend to isolate Firecrawl from any sensitive internal systems.",
    "published": "2025-08-26T17:52:43.868Z",
    "modified": "2025-08-26T17:52:43.868Z",
    "type": "cve",
    "title": "Firecrawl SSRF Vulnerability via malicious webhook",
    "source": "GitHub_M",
    "references": "https://github.com/firecrawl/firecrawl/security/advisories/GHSA-p2wg-prhf-jx79\nhttps://github.com/firecrawl/firecrawl/commit/b15fae51a760e9810a66bbfde5d5693d0df3fbeb\nhttps://github.com/firecrawl/firecrawl/commit/e8cf0985b07968061a6b684b58097732e827ed46\nhttps://github.com/firecrawl/firecrawl/releases/tag/v2.0.1",
    "id": "CVE-2025-57818",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "firecrawl firecrawl < 2.0.1",
    "sourceHref": "",
    "cvss": {
        "score": 6.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "firecrawl",
    "version": "< 2.0.1",
    "vendor": "firecrawl",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}